2024 ОаїаВгеасһ 
Investigations Report 


verizon’ 


business 


Phishing | 


Exploit | 
vulnerabilities 


Credentials 


Desktop sharing Emal мм Web applications 


‘About the cover 


This year, the report is delving deeper 
into the pathway to breaches in an 
effort to identify the most likely Action 
and vector groupings that lead to 
breaches given the current threat 
landscape. The cracked doorway on the 
Cover is meant to represent the various 
Ways attackers can make thelr way 
inside. The opening in the door shows 
the pattern of our combined ‘ways-in" 
percentages (see Figure 7 for a more 
straightforward representation), and 
itlets out a band of light displaying a 
pattern of the Action vector quantities. 
‘The inner cover highlights and labels 
the quantities in a less abstract way. 
Hope you enjoy our art house phase. 
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Introduction 


Greetings! Welcome to Verizon's 2024 Data Breach Investigations Report (DBIR). 
This year marks the 17th edition of this publication, and we are thrilled to welcome 
back our old friends and say hello to new readers. As always, the aim of the DBIR is 
Чо shine alight on the various Actor types, the tactics they utiize and the targets they 
‘choose. Thanks to our talented, generous and civic-minded contributors from around 
the world who continue to stick with us and share their data and insight, and deep 
‘appreciation for our very own Verizon Threat Research Advisory Center (VTRAC) 
team (rock stars that they are). These two groups enable us to examine and analyze 
relevant trends in cybercrime that play out on a global stage across organizations of 
all sizes and types. 


From year to year, we see new and innovative attacks as well as variations on tried- 
‘and-true attacks that stil remain successful From the exploitation of well-known 
and far-reaching zero-day vulnerabilities, such as the one that affected MOVEIL to 
the much more mundane but stil incredibly effective Ransomware and Denial of 
Service (005) attacks, criminals continue to do their utmost to prove the old adage 
“crime does not pay" wrong. 


Tho shifting landscape of cyber threats can be confusing and overwhelming, When, 
in addition to the attack types mentioned above, one throws in factors such as the 
human element and/or poorly protected passwords, things become even more 
‘confused. One might be forgiven for viewing the current state of cybersecurity 

as a colorful cyber Mardi Gras parade. Enterprise floats of ай shapes and sizes 
cruising past а large crowd of threat actors who are shouting out gleefully “Throw 
me some creds!" Of course, human nature being what itis, ай too often, the folks 

оп the floats do just that. And, as with ай such parades, what is left in the aftermath. 
isn't necessarily pretty. The past year has been a busy one for cybercrime. We 
analyzed 30,458 real-world security incidents, of which 10,626 were confirmed data 
breaches (a record high), with victims spanning 94 countries. 


While the general structure of the report remains the same, long-time readers may 
notice a few changes. For example, the “first-time reader” section is now located in. 
Appendix А rather than at the beginning of the report. But we do encourage those 
‘who are new to the DBIR to give it a read-through before diving nto the report. It 
should help you get your bearings. 


Last, but certainly not least, we extend а most sincere thanks yet again to our 
Contributors (without whom we could not до this) and to our readers (without whom. 
there would be no point in doing i) 


Sincerely, 


‘The Verizon DBIR Team 
С. David Hylender, Philippe Langlois, Alex Pinto, Suzanne Widup. 


Very special thanks to: 

= Christopher Novak for his continued support and insight 

= Dave Kennedy and Erika Gifford from VTRAC 

-Kate Kutchko, Marziyeh Khanouki and Yoni Fridman from the Verizon Business 
Product Data Science Team 


Helpful guidance 


About the 2024 DBIR incident dataset 


Each year, the DBIR timeline for in-scope incidents is from November 1 of one 
‘calendar year through October 31 of the next calendar year. Thus, the incidents 
described in this report took place between November 1, 2022, and October 31, 
2023. The 2023 caseload is the primary analytical focus of the 2024 report, but 
the entire range of data is referenced throughout, notably in trending graphs. The 
time between the latter date and the date of publication for this report is spent in 
acquiring the data from our global contributors, anonymizing and aggregating that 
data, analyzing the dataset, and finally creating the graphics and writing the report. 
The jokes, sadly, do not write themselves. 


Credit where credit is due 


Turns out folks enjoy citing the report, and we often get asked how to go about 
doing it 


You are permitted to include statistics, figures and other information from the report, 
provided that (a) you cite the source as "Verizon 2024 Data Breach Investigations 
Report" and (b) the content is not modified in any way. Exact quotes are permitted, 
but paraphrasing requires review. If you would like to provide people a copy of the 
report, we ask that you provide them a ink to verizon.com/db rather than the PDF. 


Questions? Comments? Concerns? Love to 
share cute pet pictures? 


Let us know! Send us a note at dbir@verizon.com, find us on Linkedin, 
tweet @VerizonBusiness with #dbir. Got a data question? 
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Summary of findings 


m ањ ањ СУ ат ‘90% Our ways-in analysis witnessed a 

КОЧ substantial growth of attacks involving 
the exploitation of vulnerabilities as the 
critical path to initiate a breach when 
compared to previous years. It almost 
tripled (180% increase) from last year, 
which wil come as по surprise to 
anyone who has been folowing the 
effect of МОМЕН and similar zero-day 
Vulnerabilities. These attacks were 


Pasting primariy leveraged by Ransomware 
and other Extortion-related threat 
actors. As one might imagine, the main 
Vector for those Initial entry points was 
Web applications. 
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Figure 7, Select ways-in enumerallons in non Error, non-Misuse breaches 
(56263) 


Roughly one-third of ай breaches 
involved Ransomware or some other 
Extortion technique. Pure Extortion 
attacks have risen over the past year 
and are now a component of 9% of 
all breaches. The shift of traditional 
ransomware actors toward these newer 
techniques resulted in a bit of a deciine 
їп Ransomware to 23%. However, when 
combined, given that they share threat 
actors, they represent а strong growth 
Figure 2: Ransomware and Extorlion breaches over Uma. 1 32% of breaches. Ransomware was 
a top threat across 92% of Industries. 
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Figure 3. Select kay onumeralions in breaches 


We have revised our calculation of the 
involvement of the human element to 
‘exclude malicious Privilege Misuse in 
an effort to provide a clearer metric of 
What security awareness can affect. For 
this years dataset, the human element 
жаз a component of 68% of breaches, 
roughly the samo as the previous period 
described in the 2023 DBIR. 


In this issue, we are introducing an 
‘expanded concept of a breach involving 
a third party that includes partner 
Infrastructure being affected and 

direct or indirect software supply chain 
issues- including when an organization 
is affected by vulnerabilties in third- 
party software. In short, those are 
breaches an organization could 
potentially mitigate or prevent by trying 
to select vendors with better security. 
track records. We see this figure at 

15% this year, a 68% increase from tho. 
Previous year, mostly fueled by the usa. 
о zero-day exploits for Ransomware 
‘and Extortion attacks. 


Our dataset saw a growth of breaches 
involving Errors, now at 28%, as we 
‘broadened our contributor base to 
Include several new mandatory breach 
notification entities. This validates 

‘our suspicion that errors are more 
prevalent than media or traditional 
incident response-driven bias would 
lead us to believe. 


‘ozs Da Summary aie 


The overalreporing rate of Phishing 
has boon growing over the past few 
= Years In асу awareness exercise 
sta contributed by our partnere during 
2023, 20% of users reported phishing 
În simulation engagements, ала ie 
Ба C paretik ^ tho users whe clcked the emai! 
— сеш also reported. Thais welcome news 
2 because on the По ide the median 
4” time to ciek опа malcióu ink after the 


email is opened is 21 seconds and then 
i only another 28 seconds for tha person 
о ‘caught in the phishing scheme to enter 


EJ E E шә their data. This leads to an alarming 
Yen finding: The median time for users 
то fall for phishing emalis is less than 
Figure 4. Phishing emali raport rate by click status 60 seconds. 


Financially motivated threat actors will 


Pansomwars/Extorion 
typically stick to the attack techniques 

om that will give them the most return. 
on investment 
Over the past three years, the 

P combination of Ransomware and 
other Extortion breaches accounted 
for almost two-thirds (fluctuating 
between 59% and 66%) of those 

эм Pronin 


attacks According to the FB's 
ете! Crime Complaint Center 
(СЗ) ransomware complaint data, 
the median loss associated with the 
os 2 ES a, combination of Ransomware and 
= | G^ — Giher Extortion breaches has been 


546,000, ranging between $3 (three 
Figure 5, Select action varieties in Financial motive over ime 948.000, та банови 


cases. We also found from ransomware 
negotiation data contributors that 

the median ratio of initially requested 
ransom and company revenue is 1.34%, 
but it fluctuated between 0.13% and 
8.30% for 80% of the cases. 


Similarly, over the past two years, we 
have seen incidents involving Pretexting 
(һе majority of which had Business 
Email Compromise [BEC] as the 
outcome) accounting for one-fourth 
(ranging between 24% and 25%) of 
financially motivated attacks. In both 
years, the median transaction amount 
о! a BEC was around $50,000, also 
according to the FBI IC3 dataset. 
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2 
Results 
and analysis 


Results 
and analysis: 
Introduction 


Hello friends, and welcome to the "Results and analysis" section. This is where we 
cover the highlights we found in the data this year. This dataset is collected from a 
Variety of sources, including our own УТВАС investigators, reports provided by our 
data contributors and publicly disclosed security incidents! 


Because data contributors come and go, one of our priorities is to make sure 
же can get broad representation on different types of security incidents and the 
countries where they occur. This ebb and flow of contributors obviously influences 
‘our dataset, and we will do our best to provide context on those potential biases 
Where applicable. 


This year we onboardad a good number of new contributors and reached an 
exciting milestone of more than 10,000 breaches analyzed ina single edition." 
Itis an enormous amount of work to organize and analyze, but Its also incredibly 
‘gratifying to be able to present these results to you. 


In an attempt to be more actionable, we would lke to use this section to discuss 
‘some high-level findings that transcend the fixed structure of the Vocabulary 

for Event Recording and incident Sharing (VERIS) 4А (Actor, Action, Asset and 
Attribute) and expand on some of the key findings we have been highlighting over 
the past few years, 


on Pristina 
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Figura б Select ways in enümerations in поп Error, non- Misuse breaches over Une 


1 Have you checked out the VERIS Community Database (VCDB yet? You shouid. ite awesome! 
алас пау 


Ways into 
your sensitive 
data’s heart 


Опе of the actionable perspectives 
же have created has been the ways- 

in analysis, in which we try to make 
sense ofthe initial stops into breaches 
to help predict how to best avoid or 
prevent them. We stil have plenty 

‘of unknown Actions and vectors 
dispersed throughout tho dataset аз 
investigation processes and disclosure 
patterns widely differ across our data 
Contributors, but this view of what we 
know for sure has remained stable and 
representative over the years. 


Figure 6 paints a clear picture of what 
has been the biggest pain point for 
‘everyone this year. This 180% increase 
in the exploitation of vulnerabilities 

as the critical path action to initiate а 
breach wil be of no surprise to anyone 
Who has been following the MOVEIt 
vulnerability and other zero-day exploits 
that were leveraged by Ransomware 
and Extortion-related threat actors. 


This was the sort of result we were 
expecting in the 2023 DBIR when 

же analyzed the impact of the 1.004] 
‘vulnerabilities. That anticipated worst 
сазе scenario discussed Inthe last 
report materialized this year with this 
lesser known but widely deployed — 
product We wil be diving into additional 
details of МОМЕН and vulnerability 
exploitation in the “Action” and “System 
Intrusion” pattern sections, 


To dig further into this concept of the оъ sm sow ыз sos 100% right fit forall organizations, but in the 


ways in, we are presenting а new slice  Gredentisis-viebanpication worst-case scenario, the Cybersecurity 

of the data, where we aro overlaying Infrastructure and Security Agency 

those different types of Actions with (СІЗА) might have you пр out only one 

their most popular vectors to help tool from your network as opposed 

focus response and planning efforts. to several 

You can take a peek at those results 

юршш s es етін етгі Anyway, ай this nuance does not affect 
ош opinion of having desktop sharing 

Phishing attacks mostly having an software directly connected to the 

Email vector is rather sel-explanatory. Internet. бо fix that pronto, please. 


So we wouid ika to focus on the 
сапима пе Web appieaton - 

Sécorwedencelorbefhtadeniüh Dotun -enaska 

эла arpio berate presenca We are only 
гот nine grape thou 

not be surprising as It cartes a large. human after all. 
thar f o ullo tur Base об 


‘Application Attacks pattern (Le, getting VUES One other combined metric we 


unauthorized access to cloud-based have been tracking for а few years 
'email and collaboration accounts) is related to Ihe human element in 

But recency bias might make folks breaches. There is alt of focus on 
doubt the prevalence of exploitation of how fully automated attacks can ruin 
Vulnerabilities. Because this report is an organization's day? but it is often 
being written in the beginning 012024, сур Surprising how much the people inside 
the focus has been on zero-day (ог the company can have a positive effect 
near-zero-day) vulnerabilities in virtual оп security outcomes. 


private network (VPN) softwaro.* 
This year, we have tweaked our human 


Naturali, the share of VPN vector i the element mete a bit so ts Impact and 
exploit ушп variety wil Waly increase — explotan -Desltopahatnosotmere соп opportunities are clearer. You 
Tor our 2025 report to reflect those. See, wen DBF authors fand the whole 
trends, but the Bottom ine is again sell- industry in genera) wouid discuss 
aident and se-explanatory. Anything this тейле, К wouid be alongside an 
Wat adds о your attack surface on the opportunity gap tor security training 
internet can be targeted and potently Эп awareness Itis not perfect, but it 
beth frat Tooteid for an external —— You ad acier recen a at 
threat actor and as such, the locus ould potently improve ho outcomes 
should be to try to keep fostholds to Gf more than two-thirds of potntal 
mim breaches, you might atleast sit down 
and isten 
Nomatterhowyoufeelaboutyour VPN on aos sos oos юк won 
Software right now, having as many It turns out that our original formula 
© your web appicatons as possible = at was included И the human 
benindit miat be a better strategy Figure Select ways nvaretyand арлеп mate bult a Priviege 
than having to worry about emergency vector enumerations fron Ero Misus altam breaches, which 
overnight patching ofthe software are te cases компа malicious 
and al the ater dependencies insiders Having those mbad with 
that power the web applications honest mistakes by employees dd 
themseives. This wii not completely по make senso if our aim was to 
mitigate the risk and wil not b the Suggest iat those coud be mitigated 


by security awareness training?” 


5 Unless by nn ме aw succes ripped they out ot our networks ney and are back to 


We dread ta thnk what “awareness taining for malicious insiders wouid ook е. 


Figure 8 showcases the new human 
element over timo (with malicious 
Insiders removed) to provide a better 
frame of reference for our readers 
going forward. Itis present in more 
than two-thirds of Breaches as 
foreshadowed two paragraphs ago, 
‘more precisely in 68% of breaches. 
itis statistically similar to our findings 
"ast year, which means that ina 
certain way. the increases we had 
across the board in the Miscellaneous 
Errors pattern (human-centric) and 
аз a result of the МОМЕЛ vulnerability 
automated) were similar in scope 

аз far as this metric Is concerned. 


Fans of the “original flavor" human 
element are not missing much because 
the inclusion of the Misuse action 
would have brought the percentage 
076%, statistically only lightly more 
than the previous report's 74%. S 
we prefer the clearer definition going 
forward, and we will leave the analysis 
‘of those bothersome insiders and their 
misdeeds to the "Privilege Misuse 
pattern section. 


The weakest 
links in the 
chain of inter- 
connection 


Finally, as we review the big picture of 
how the threat landscape changed this 
year? we would lie to introduce a now 
metric that we will bo tracking going 
forward. As the growth of exploitation 
‘of vulnerabilities and software supply 
‘chain attacks make them more 
‘commonplace in security risk register 
discussions, we would like to suggest 
anew third-party metric where we 


embrace the broadest possible Fora breach to be a part of the supply 
Interpretation of the term’ Have а peek chain interconnection metric, It wil 

at Figure 9, where we calculated a have taken place because either a 
Supply chain interconnection influence ^ business partner was the vector of 

in 15% of the breaches we saw, a entry for the breach (ike the now 
significant growth from 9% last year. fabled heating, ventlating and air- 

А 68% year-over-year growthis realy conditioning [HVAC] company entry 
solid, but what do we mean by this? point in the 2013 Target breach) or 


if tho data compromise happened 


Figure В. Human element enumeration in breaches over time 


СУ 
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Figure 9. Supply chain interconnection in breaches aver tine 


Raa DER md 


in a third-party data processor or 
‘custodian site (fairly common in the 
MOVEI cases, for instance). Less 
frequently found in our dataset, but 
also included, are physical breaches 
in a partner company facit or even 
partner vehicles hijacked to gain 
entry to an organization's гаси возе 


‘So far, this seems lke a pretty standard 
third-party breach recipe, but we are 
also adding cases, such as SolarWinds 
and 3CX, in which their software 
development processes were hijacked 
‘and malicious software updates 

were pushed to their customers to 

Бе potentially leveraged in a second 
step escalation by the threat actors. 
Those breaches are ultimately caused 
by the initial Incident in tho software 
development partner, and so wo aro. 
adding those to this tab. 


Now for the controversial part 
Exploitation of vulnerabilities is counted 
in this metric as well. As much as we 
сап argue that the software developers 
are also victims when vulnerabilities 
are disclosed in their software (and 
‘sure they aro) the incentives might 

not be aligned properly for those 
developers to handle this seemingly 
interminable task. These quality control 
failures can disproportionately affect 
the customers who use this software, 
We can clearly soo what powerful 

and wide-reaching effects handful 

о zero-day ог mismanaged patching 
rollouts had on the general threat 
landscape. We stopped short of adding 
exploitation af misconfigurations 

in installed software because, 

although those could be a result of 
Insecure defaults, system admins 

сап get quite creative sometimes. 


Figure 10 shows the breakdown 
of VERIS actions in the supply 
chain metric and, as expected, 
itis driven by Exploit ушп, which 
Ushers Ransomware and Extortion 
attacks into organizations. 


This metric ultimately represents а 
failure of community resilience and 
recognition of how organizations 
depend on each other. Every time 

a choice is made on a partner (or 
software provider) by your organization 
andit falls you, this metric goes up. 

We recommend that organizations 
start looking at ways of making 

better choices so as to not reward 

the weakest inks in the chain. In a 

time where disclosure of breaches is 
becoming mandatory, we might finally 
have the tools and information to help 
measure the security effectiveness of 
our prospective partners. 


We will keep a close watch on this 
one and seek to improve its definition 
‘overtime, We welcome feedback 
and suggestions of alternative 
angles, and we believe the only 

way through It is to find ways to 

hold repeat offenders accountable 
and reward resilient software and 
Services with our business. 


ло не коша stop watching Ноза “Mission: Impossible” movies during DEIR writing season. 


Passworddumper. 


Figure 10. Action varieties in selected © 
supply chain interconnection breaches 
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VERIS Actors 


your money’ alongside dated pop. СЯ 


Culture references, but we have some 
interesting data points to discuss this 
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оп outside help if you have the And speaking of disclosure, the жо эъ ж» өн aos юш 
talent in-house? numerous Extortion attacks used by ps 
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meeting and start pointing fingers at 
each other trying to figure out who the 
Impostor is, its important to realizo that 
73% of those Internal actor breaches 
were in the Miscellaneous Errors 
pattern, and we shouldn't really be 
holding their feet to the бе We wil 
bo discussing more about this Error 


‘causal landscape better™ 
Figure 12. Threat actor molives in. 

Before anyone gets excited by more breaches (15,632) 

‘groundbreaking changes in the "Actor 

‘section, Figure 12 is pleased to inform 

you that the Actor motive ranking 

remains the зате, Financial has the 

kl ‘lear lead, but it is interesting to note 

renaissance" in the respective pattem fer fe Espionage move hs опо 

section, but kshowcasas one iang- slightly over last year, from 5% to 7%. 

standing suspicion of the team that As was the case in the prior report, this 

mandatory breach disclosure at scale tive is mostly concentrated in Public 

will help us better understand how тоби i лн concen 

mundane and preventable some 

©! those incidents can be. 


M шыш шс te S Ы ЖШ алде Commason анны 


We can find ће same expectedresults o% 2 ж эж о 
When we consider the varieties ot threat Оуралаона i 
actors with which we are dealing. Figure —— Actor categories’ 
13 strates the lead that Organized қ 

Externa External threats 
crime-aflated actors enjoy over Бы Еліме есіні treet 


ther State-sponsored counterpart, on and ts 
as our anaiysie has shown tor many BEB талағы Examp 


years. Please don't misunderstand: ot pects Еа 
This in no way means that the threat ое papan 
from those Actors should be taken в 
lightly. State-sponsored actors are 


Unusual resouroehd and сарин Reem (26209 ao cludes God 
f adapting tho tactics. Luckily È in acts or), Mother шон 


for the average organization, they 
are less likely to target run-of-the 
mill enterprises as often as your 


20 соз itor privilege is implied for 
external entities. 


ayan gardenvvarey rina Figure 1З. Threat actor varetesin ikea irl vasis 
Dia diari танна 5 seep toni ne 
VERIS рапапсо an average emplojoo Span fale eno 

ос contractor of an organization) Hea irk ashore 

has grown a lot, тоге than doubling ah tees ий 


upsetting year ог ай detail-oriented 


relationship with the organization. 
perfectionists™ out there. с 


that an attack 
a partner as a vector, but that 
does not make the partner the 


5 Just imagine what it would be Re to work for one of those pean, {Editar 


Artificial general intelligence 
threat landscape, emphasis on 
“artificial,” not “intelligence” 


Despite the pressure from a vocal. It you extrapolate the commonly 
minority of the cybersecurity understood use cases of GenAl 
Community; it seems that the DBIR technology, t could potentially help 
team wil not be adding “Evil AGI" to with the development of phishing, 
the VERIS actor erumerations in 2024. malware and the discovery of new. 
However, it is stil a very timely topic \ulnerabilties in much the same 
and one that has been occupying the way it helps your 10th grader write 
minds of technology and cybersecurity that book report for school or your 
executives worldwide.” average Al social media influencer 
pretend to create a website by taking 
We did keep an eye ош for any a picture of a drawing on a napkin. 


indications of the use of the emerging 
Пе of generative artificial intelligence But would this kind of assistance 


(GenA) In attacks and the potential really move the needle on successful 
‘effects of those technologies, but attacks? One can argue, given our 
nothing materialized in the incident data Social Engineering pattern numbers. 
же collected giobaly* from the past few years, that Phishing 


ог Protexting attacks don't need to be 
Alter performing text analysis alongside ^ more sophisticated to be successful 
‘our criminal forums data contributors, against their targets, as we have seen 
ме could obviously see the interest in. with the growth of BEC- Ike attacks, 
GenAl (as in any ether forum, really), but — Simiarly malware, especially of the 
the number of mentions of GenAl terms Ransomware flavor, does not seem to 


alongside traditional attack types and ^ ^ ће lacking in effectiveness, and threat 
vectors such as phishing “malware” actors seem to have a healthy supply 
‘vulnerability’ and "ransomware" were of zero-day vulnerabilities for initial 
shockingly low, barely breaching 100  jnfitration into an organization. 
cumulative mentions over the past 

two years. Most of the mentions? From our perspective, the threat actors 
involved the seling of accounts to might well be experimenting and trying 
commercial бөлді offerings or tools to come up with беп! solutions to 
for Al generation of non-consensual their problems. There is evidence 
pornography. Figure 14 ilustrates being published? of leveraging such 
our findings technologies in “learning how to code’ 


activities by known state-sponsored 
threat actors, But it really doesn't look 
ко a breakthrough is imminent or 

that any attack-side optimizations this 


1а Artic generi аде е You know HAL 3000 Synt, Cylons, EGAN 

20 Bulg nad been taken orb an eA орду al В йа we нама мө, Maes 
РЕН Ыыы үтігі 

эз eden we aes 1o dot again butin he әсе of te DBIR, it seemed inel led in 
fe i eae phos an aa hat what we sure 

zi Se eertain мел where wee pling marketing сору or сы пен cybersecurity tru 


might bring would even register on tho. 
incident response side of things. Tho. 
only exception here has to do with the 
Clear advancements on deepfake-Ike. 
technology, which has already created 
а good deal of reported fraud and 
misinformation anecdotes. 


Incidentally, ме did ask ono of those 
Gena tools what threats this nascent 
technology could amplify, and it ended 
up suggesting the same things as. 
above." It made it seem lie it already 
had an outsize influence in those 
subjects and that “organizations must 
adapt thelr defense strategies to keep 
pace with the evolving sophistication 
©! GenAl-driven threats. This little 
‘experiment seems to Indicate that 
‘even GenAI has a tendency toward 
beefing up its resume via the use 

ot well-placed exaggeration 


Turns out It's realy hard to escape the 
hype по matter where you sit on the 
natural vs. artificial divide. 


Figure 14. Cumulative sum of GenAT 
in criminal forums 
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VERIS Actions 


Awise porson* once вай, "Weare One other thing worth noting is the 
What we repeatediy do and wouldnt clear overtaking of Pretexting as a more 20 
they be impressed by the stoicismot likely social action than Phishing. you Аспопсаеоогіев 
how some of our top VERIS Actions have been tracking our chroncie ofthe десе 
keep showing up year after year? Inall кізе of BEC attacks, you know this is pia 
fainess docs seem тоге ап exercise aviablo and scalable мау to address. TrA 
of'ititaivt broke dont fixit thanany threat actor monetization anxieties (е 


orizaton by 
thwarting 


classical philosophical principle, But it 
highlights that we defenders have a lot 


‘of work to do, as usual. p = = ЕН У " 
НЕН |! зү кайсы, 
in breaches, and it brings alot to а arii 
ин 

НИ M 

eric ada Rame ——— 

in the second spot, with 23%. Lied 

POE NARRA еше 

so af балду stated teach 

ала cometa Enero 

combined activity of 32% from those мч 

ва ог tenes : =n 
and theparatthemneadine moves (В jsut 
impact, along with some other malware- Some vironment 
and hacking-related varleties, such в 

Жом a C2 lamman an 

а о орыш 


of vulnerabilities of last year, and that 
obviously has had an impact in our 
ways-in metric as discussed in the 
introduction. Readers can find more 
dolails about this remarkable event in 
‘our "System Intrusion" pattern section. 


Figure 15, Top Action varietesn —— 
breaches (n-9,982] 


"er 
for incidents. It should not surprise | x 
incidents. There is very little we can say = 
‘stable over the years. = 
idt. 
ынын = 
with Extortion, we hit a similar ratio to Backdoor 
last year's 15% of "Ramstortion.™®? È 
раан 
їп breaches, and the results аге in line Fuimos ite 
мл ыы аманат — P 
папила 
LA ел К За ЖЕ PERI 
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 pretexting. Web applications is hanging эм, 
in there, though, and as we discussed » 
yen m 
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са 
ECTS n 
= 
Figure 16. Top Action varieties in , 
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‘Speaking of ways in, it might also 
е interesting to explore a handful 

о! goals and outcomes of those. 
attacks." Figure 18 describes tho. 
prevalence of ransomware/extortion. 
and pretexting action varieties under 
the Financial actor motive. As we 
frequently point out, those are two of 
the most successful ways of monetizing 
a breach. The ransom duo has been 
hovering around the two-thirds mark 
(82%) for some time, while Pretexting 
mado up nearly a quarter (24%) of goal 
actions over the past two years. 


Jen Easterly 


Director 
Cybersecurity and 
Infrastructure Security 
Agency (CISA) 


Pancomwars/Estorton 
P 
эм Pret 


Figure 18. Select action varieties in Financial motive over Uma: 


Over the past year, CISA has been 
leading the secure by design software 
development revolution. We have 
issued alerts documenting foreign 
inteligence agencies penetrating 
hundreds of critical infrastructure 
entities and establishing a foothold, 
possibly to be used in a future conflict. 
We have also published blueprints 

for what ме need to change in order 
toestablish a culture of technology 
development that puts security first 
without sacrificing innovation. These 
two efforts are different and necessary 
approaches to the same problem. 


Today, the software industry is focused 
on the malicious actors and how 

they work. As а community, we talk 
about signature adversary moves, 

the amount of money made and the 
vulnerabilities that were exploited, 


27 The obvious маја оог pundoeent mete sense here Maybe we had cyber getaway см. 


But it's that last point—vulnerabiltios 
that were exploited--that doesn't got 
nearly enough focus. Most software 
vulnerabilities are not unknown, unique 
or novel. Instead, they fll into well- 
known classes of vulnerabilties, and 
unfortunately, we continue to see the 
зате classes of vulnerablities that 
have been identified for decades. 


Our goal should be to shift away from. 
focusing on individual vulnerabilties 
and to instead consider the issue 

from a strategic lens. By focusing on 
recurring classes of software defects, 
we can inspire software developers to 
Improve the tools, technologies, and 
processes and attack software quality 
problems at the root. I hope that а. 
deeper understanding of how attackers 
get in wil be the catalyst to demand 
that our technology be secure by 
design starting today, 


ETT 


Exploitation от 
moving swiftly 

in the threat 
landscape ы 


‘The DBIR is entering its Vulnerability 
Era. One of the most critical findings 
же had this year was the growth of the 
Exploit vuln action variety. We have 
‘emphasized the fact that credential 
abuse is the big thing to focus on for 
Several years пон: and even the most 
obtuse of us can see a trend when it is 
‘smacking us in the face. 


We knew that the MOVE vulnerability { 
was rouble when ifrat entered ine З 
1 


_ at 30 days 85% of vulnerabilities 
were unremediated 


2155 days 50% of vulnerabilities 
‘were unremediated 
= at 60 days 47% of vulnerabilities. 
were unremediated 


at 180 days 20% of vulnerabilities 
were unremediated 


"4 


тооп, and we were able to identity 
1567 breach notifications that related 
to MOVEit by a combination of (very 
vague) breach descriptions and the. 


at 365 days 8% of vulnerabilities 
were unremediated 


timing ofthe breach selt. Reports fom 9 "* — x = = = 

ОБА" state that the CIOp ransomware x] * 

team had compromised more than 

8000" global organizations from — un 

Shandtulol zero-day vlnerabities FOUTS 19: Survival analysis of CISA KEV vulnerabiti 

being exploited. Its important to 

mention tnis high number even if. CISA Known Exploted Vulnerabilities But before organizations start pointing 

our sampled incident dataset does (KEV) catalog,” (arguably an area t themselves saying, "It's me, hi, 

‘ot account for ай of that in either f priority focus in vlnerabity тп the problem." we must remind 

breach notifications or ransomware management}, we found that takes ourselves that after folowing a sensible 

Victim listings scraped from the threat around 38 days to remediate SO% of risk-based analysis enterprise patch 

actor's own notification websites™ охо critical vulnerabilities once their management cycles usualy stabilize 
ches are available. As Figure 19 around 30 to 60 days as the viable 

This lovo story between zero-day emonstrates the patching doeemt target, with maybe a To-day target for 

Vulnerabilities and ransomware threat што start picking up untl after спіса vulnarablly patching. Sadiy: this 

actors puts us alin a concerning. the 30-day mark, and by the end of does not seem to keep pace withthe 

place. By doing a survival anaysis™ a wole year around 8% of петата growing speed of threat actor scanning 

l vulnerability management data and Sti open and exploitation of vulnerable. 


focusing on the vulnerabilities in the 
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This is not enough to shake the risk of. 
Ав we pointed out in the 2023 DBIR, 
the infamous Log4j vulnerability had 
nearly a third (82%) of its scanning 
activity happening In the first ЗО days 
of its disclosure. The industry was very 
efficient in mitigating and patching 
affected systems so the damage was 
minimized, but we cannot realistically 
expect an industrywide response 

of that magnitude for every single 
Vulnerability that comes along, be it 
zero-day of not. 


In fact, it you look at the distribution 
of when vulnerabilities have their first 
Scan seen in internet һопеурсіз on. 
Figure 20, the median time for that to 
happen for a Common Vuinerabilties 
and Exposures (CVE) registered 
\ulnerablity in tho CISA KEV is five 
days. On the other hand, the median 
time for non-CISA KEV vulnerabillties 
sits at 68 days. There is an obvious "no 
true Scotsman fallacy comment to be 
made here because when exploitation 
starts running rampant, vulnerabilities 
get added to the KEV. There are few 
hindsight metrics as powerful as this 
оле to guide what you should be. 
patching first In summary tit goes 
into the KEV, go fiit ASAP. 


Even though this survival analysis 
chart looks bleak, this is the optimists 
View of the situation. We must remind 
ourselves that these are companies 
‘with resources to at least hire a 
vulnerability management vendor. That 


tolls us that they care about the risk and 


are taking measures to address it. The 
‘overall reality is much worse, and as 
тоге ransomware threat actors adopt 
zero-day and/or recent vulnerabilities, 
‘they wil definitely fil the blank space 
in their notification websites with your 
‘organization's namo. 


Non CISA KEV 
See . e ое 
CISA KEV 


Daysuntifestscan. 


Figure 20. Time from publication ol vulnerability to Tirst scan seen (ram 2020 
onward) 


iwe can't patch the vulnerabilities We recommend that folks who are 
faster; it seems Ike the only logical involved in both software development 
conclusion is to have fewer of them and software procurement take the 

to patch. We realize this is the өші time to review tho recently updated 

о! our wildest dreams, but atthe very “Secure by Design“! report by CISA 
least, organizations should be holding апат? US. and international partners. 
thelr software vendors accountable. It shows how software can be made 

{or the security outcomes of their to have better security outcomes and 
product, even if there is по regulatory what о look for as a buyer. The DBIR 
pressure on those vendors to do, does not intend to foster any bad blood 
better. The DBIR will emphasize this with software providers that might be 
point going forward by expanding our Ғата short of thelr goals in keeping 
third-party involvement in breaches their products safe, but if there ever 
metric to also account for the was a clear time to make a statement 
exploitation of vulnerabilities. This by prioritizing this elegant solution toa 
heips ilustrate that when choosing growing threat, this is it. We can see the 
a vendor, software that is secure by costs of not acting ай too well 


design would make a difference. 


29 Eat your heart out, CVSS (Common Verity Searing System) 
A40. нше a ook э he“Itroducto’ subsection in thie Rests and analysis" section. 
1 mps fossa govfresourees tollatur secum hy design 


VERIS Assets 


Even though those results might not Person. as the direct victim, and the dataset 
олыо н he VERIS Actors pum Коош ТАДЫ 
we just discussed, it is worthwhile to User Dev action, where pure Extortion got its 


spin-off from, implied that there was an. 
‘extortion phase where the money маз 

requested without being connected to 

а Person asset. 


understand the year-to-year trends in 
the threat landscape. 


Ош asset power ranking** has not Media 
changed alot tom lastyear but there iy 
Thus, this growth in Person also. 
ak makes sense as a more representative 
truth of the machanics of such 
breaches. Your employees need to bo. 
aware of how to handle а ransom or 


are a handful of changes that aro worth 
pointing out in Figure 21. Even though 
the order from the 2023 DBIR is the 
‘same and the prevalence of Server 
assets is roughly the same as well, ме 


find substantial growth in both Persons KesdTem ‘extortion demand and follow whatever 
and Media assets. , procedures were established by 
your organization to handle those. 
С By the way, make sure you have 


those dacumented* jus in case. 


4 Pertapa notin matty, a sre oop ашнен il fave Pe еситу айнек cored ia 
48 неко Коп your Пе server. It shouid be бте, ight? (Not realy) 


The Media growth is intrinsically 

tied with the progression in the 
Miscellaneous Errors pattern discussed 
previously. Some of those Misdelivery 
errors happen via physical documents 
and fax machines” which might Imit 
their scope but does not make them 
any less breachworthy to regulators. 


Digging deeper in Figure 22, we get 
a better sense of the Server asset 
breakdown. While the Web application 
and Mail servers are mostly Involved 


Asset categories 


without end-user Interacti 
Where all the web applicat 
тай services, Ме servers and all 
that magical layer of information 

nerated. If someone has е 
told you tho system is down 
rest assur 


almost all of the 
but especial 


Person (per 
doing the work at the organization. 


ions willbe members of 

rent departments and wil h 

permissions and ac 

in the organization stemming fr 
this role. At th 


is a common targ 
Engineering pat 


In credential-theft breaches, the Fle 
server has been almost dominated by 
the MOVEIt breaches, which explains 
why more than 95% of breached 
assets are servers. 


Allin al. a pretty standard year in 
the VERIS Assets world. We will be 
discussing more on how to help keep. 
these assets safe in the 5 

Intrusion,” "Social Engineering” апа 
‘Basic Web Application Attacks: 
pattern sections. 


User device (usr: the de 


the System Intrusion pattern but 
also in the Lost and Stolen Assets 
pattem. People do like to take their 
litte computers everywhere. 


Network (net) not the concept 
but the actual network computing 
devices that make the bits go around 
the 

and br 

of the traditional in-line network 


"drive and 
ids from 


i-Webappicston 


m 


U- Desktopa lanto 
b 
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Figure 22, Top Asset varietiesin —— 


incidents (n=6 606) 


VERIS Attributes 


пате ТЕОРЕ 
that it will often be collateral damage in кы» 
Mor frequently жыл ог апу sort of attack that might not even ге» 
of a multistep breach Figure 23 канон УА за 
"on-escluis" energy us ar hen deserved now me Ransomware ШВ 
armors en алты 
тенен нева wee data beaches heed oeareabot алија |р 
the breakdown of data varieties that buyer. We dig into ransomware, ransom 
eeano ienaa Пи Қ 
тем 
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Aer beter 


jure 25; Select Attribute varieties over Uma ih breaches 


In addition, we are observing adectine variety under integrity. This is the 

in the Credentials data type from хуту Violation we get when Persons 

a percentage point of view. This is are influenced by external threat actors, 

because the percentage of breaches and it is also a common outcome from 
used by Error actions is rising (agan Phishing or Pretexting social action 

аз a result of our sample) as opposed 

to external actors who are exploiting 


To see it overcome the Obscuration 


weak credentials though credential variety (the usual outcome of the 
stuffing or brute force attacks. Ransomware action) in such а 

sharp way in Figure 25 could be a 
Asa final curiosity, another side. harbinger of things to como. Tho. 
effect of the growth of extortion non- consequence of which s that System 
encrypting attacks has resulted in a Intrusion pattern attacks become 
significant bump in the Alter behavior төге prevalent in the long run. 


Stephen information wis kept sale so у can 


participate in society, including having 


Bonner the confidence to share tel data to 


access services and use products. 


Deputy Commissioner = Our security incident trend data, 
Regulatory Supervision, ‘which we have contributed to this 
U.K. Information report shows cyber threats not only 


‘continue to exist but increase year 
‘on year. Itis important to remember 
thal there е no single solution to 
security but organizations can 
improve thelr cybersecurity through 
‘our guidance and tools to better 
protect people's information. 


Commissioner's Office (ICO) 


вп Hipsivecatameverk cafes hun 
o ips ensiiseda srghh/Parkerin Herad 


Attribute 
categories 


Confidentiality (ср): го 

to limited observation and 
ure of an asset (ог data). 
‘of confidentiality imp 

that data wore actually obsen 

or disclosed to an unauthor 

actor rather than endang} 

at-risk or pe 

(ће latter fall under the 


(ог data) being complete and 
Unchanged from the original о 
authorized state, content and 
function, Losses to integrity 
elude un: insertion 
and manipulation, 
Short definition: complete and 
unchanged from original 


Availability (au) refers to an 
data) being present, 


impact (де 

and interruption. Short definition: 

accessible and ready for us 
кеп needed. 


We are also encouraging organizations. 
tobe transparent when a cyber incident 
happens, seeking early support and 
sharing information so the cyber threat 
landscape is improved for everyone. 
The ICO wil soon publish а review 

of past security incidents to help 
organizations continue to improve their 
Cyber resilonce. 


3 

Incident 
Classification 
Patterns 


ncident 
Classification 
Patterns: 

ntroduction 


Pareidola в a fancy word for seeing patterns in nature—clouds that ook like These incident patterns serve to cluster. 
‘bunnies, a face in your toast looking back at you from your breakfast plate, etc. similar incidents into categories that 
As we have said before in this report, the human mind looks for patterns even make them easier to understand and 
‘when they are not actualy Того People simply need patterns to make senseof recall They are based on the 4As of. 
their world, and the realm of cybersecurity в по different. Several years ago, wo VERIS (Actor, Action, Asset, Attribute), 
realized that certain incidents appear to happen over and over again in clusters which you сап read more about in 

that share certain similar characteristics. From that realization, we devised our the “Results and analysis section 
Incident patterns that we have featured in our report for the last several years. earlier in this report The incident 


classification patterns, of which there 
are eight, are defined in Table 1, and 
Figure 26 below shows how they 
have changed over time in incidents 


Devil of Sanco 


System лонот 


риле Mise 


Figure 28. Patterns over tine in incidens 


Figure Z Patterns over Uma in breaches 


We are once again featuring relevant 
ATTACK techniques and Center for 

Internet Security (CIS) Critical Security 
Controls relevant to certain patterns. 


Figure 27 ilustrates how the various 
patterns have ebbed and flowed 

‘over the last few years in breaches. 

As you can soo, Systom Intrusion. 
continues to be the top pattern from 

a breach perspective (as opposed to 
Incidents, where DoS attacks aro stil 
king. Both the Social Engineering and 
Miscellaneous Errors patterns have 
risen appreciably, particularly the latter, 
since last year. Conversely, the Basic 
Web Application Attacks pattern has 
fallen dramatically from its place in 

the 2023 DBIR. We get to delve into 
the reasons for these fluctuations 
further along in this section. 


55 ips atack me og 
Етте ИА 


Basic Web These attacks are against a Web application, and after 
Application the inital compromise, they do not have a largo number 
Attacks о! additional Actions. Iis the "get n, get the data and 
get out" pattern. 
Denial of ‘These attacks are intended to compromise the availabilty 
Service о! networks and systems. This includes both network and 
application layer attacks. 
Lostand "Incidents where an information asset went missing, 
Stolen Assets whether through misplacement or malice, aro grouped 


Into this patter. 


"Incidents where unintentional actions drectiy compromised 
а security attribute of an information asset fall into this 
patter. This does not include lost devices, which are 
‘grouped with theft instead. 


Privilege These incidents are predominantly driven by unapproved 

Misuse ос malicious use of legitimate privileges. 

Social This attack involves the psychological compromise of a 

Engineering person that alters their behavior into taking an action or. 
breaching confidentiality. 

System These are complex attacks that leverage malware 

Intrusion and/or hacking to achieve their objectives, including 
deploying Ransomware. 

Everything This “pattern” sit really а pattern at all Instead, t covers 

Else all incidents that don't fit within the orderly confines of the 


‘ther patterns. Like that container where you keep all the 
cables for electronics you don't own anymore—just in case, 


‘Table 1. ncident classification patterns 


System 
Intrusion 


‘Summary 


Frequency — 575 incidents, — 
While shifts in tactics leveraged by 3,802 with confirmed 
Actors have modified some of the top data disclosure 
‘Actions, the overall effect of these е атое 


‘Actors continues to be felt by the 
majority of industries and organizations 
ofall sizes. 


(breaches) 


Financial (9559, 
Espionage (6%) 
(breaches) 
What is the same? 


Data Persona 60 
Ransomware attacks continue toare баз нед Отава 


the growth of his pattem as they now 


account for 23% of all breaches. System (26%), 


Internal (22%) 
(breaches) 


Relevant ATT&CK techniques 
Exploit vuln (VERIS) 


Exploit Public-Facing Application 
TH90 
TI586.001 
= Email Account 


s 
emote Deskto 

Exploitation for Privileg 1 

Escalation: TIO dc ти eet cer 


Exploitation of Remote Servi 
ru 


External Remote Services: 11133. - 1590004 00 
оштв: 11078. 
= Default Accounts: 11078 0 
unts: 110780 
unts: T1078.003 
оштв: T1078.004 


m 


Actor motives 


System of an 
Intrusion 


In the world of our attack patterns, it's 
been a competitive year, and there have 
been a lot of contenders wing for the 
first-place prize of МЕВ: most frequent 
breach (granted, not as prestigious as 
the MVP, but you work with what you. 
have). System Intrusion, for tho third 
year in a row, leads the pack with 36% 
Gf breaches. Not sure exactly what 
they're winning (our guess would be a 
good bit of cash), but we can certainly 
tell you who s losing, and that's ай of 
us. Let's dive into what is driving the 
‘continued success of this pattern. 


Execution: ТА0002 
Persistence: TA0003 


Privilege Escalation: TA0004 


The makeup of this pattern hasn't 


changedmuct-hiswnercoumore  Ransomhow? 


Sophisticated attacks” are found. They 


‘tl largely consist of breaches and With regard to vectors (Figure 29], we 
incidents in which the threat actor зам a great deal of Direct insta This 
leverages a combination of Hacking is when threat actors use their existing 
techniques and Malware to penetrate system access to install malware, 

the victim organization- more or less such as Ransomware or Backtioors. 
What one might expect тот an The vector of Web applications, which 
unauthorized penetration test. However, 8 a favored target of exploits, also 
rather than providing а helpful written appeared frequently, as we discussed in 


терот at the conclusion of the exercise, the ways-in analysis în the “Results and 
they typically deploy Ransomware and analysis" section. Of course, we stil see 


provide the victim with a much less threat actors leveraging Email to reach 
helpful extortion note. These. users and Desktop sharing software 
Ransomware attacks account for 70% to gain entry into systems. Because 

of the incidents within System Intrusion, — these threat actors use a plethora of 

аз seen in Figure 28, The other often tools and techniques, this data is longer 
seen actions in the System intrusion  talled, which is why Other shows up 
pattern tend tobe those that provide relatively often in our top five. Within the 
the actor access to the environment, category of Other are vectors such as 
‘such as Exploit vulnerabilities and УРМ, Software updates and a whole 
Backdoors. We also saw Extortion bunch of Unknowns (our bet is that it 
creeping into this space, primarily is most ikely split among the tactics. 
‘due to a large and impactful event discussed above, just not explicitly 

that we will discuss later In the report- reported tous). Therefore, when. 

so slay tuned" prioritizing your efforts at protecting 


yourself, don't neglect addressing 

‘malware infections, stolen credentials 

ж аж жн eos aow wow or unpatched systems as it may lead 
pem you to break out in Ransomware ^ 


вк сг Ransomwho? 
= Much ike Sisyphus with Н never 


Ea hardworking people in IT must continue 
m for 11% of all incidents, making it 


Figure 28. Top Action variates “” 
System Intrusion incidents 


зт nee tacks ware people ey would dk tne win in restaurants; ponat uy on 


Figure 28. Top Acton vectorsin — ” 
System Intrusion incidents (n=1,789) 


When we remove the Ransomware 
‘groups from this dataset, we're left 
Wwith a pretty even split of 44% run-of 
the-mill types of criminals and 40% 
State-afflated actors It shouldn't 

бе too surprising to find out that the 
tactics used by criminals aro very 
closely aligned to those used by Actors 
working on the behalf of their country. 


Ransomware (or some type 
of Extortion) appears in 92% 


of industries as one of the 
top threats. 


Clearly, the major difference is what 


they do with that access. The subset 98% of incidents 
of criminals in this pattern who aren't had по loss. 
doing Ransomware/Extortion are Dots represent 


{Quietly siphoning off Payment data. 
rom e-commerce sites and account 
or 57% of breaches involving 
stolen Payment cards, while the 
State-afilated actors look to pivot 
and steal other types of data. 


the remaining 4%. 


Ransomwhat? о. 


Understanding the cost associated with 


Ransomware is a bit complexas nere Figure 30. 95% and 80% confidence intervals of adjusted incident cost 
for Ransomware 


are several primary and secondary 
costs to consider, not to mention the 
possible soft costs associated with 
reputational impacts. While we try our 
best to capture these costs, its worth 
noting that the result isn't a ful picture 
‘but simply our best approximation using 
the data we have. 


One of the easier costs to capture is 
the amount associated with paying 

the actual ransom. Analyzing the FBI 
1034 dataset this year, we found that 
the median adjusted loss (after law 
enforcement worked to try to recover 
funds) for those who did pay was. 
around $46,000 as shown in Figure 30. 
This а significant increase from the 
previous year's median of $26,000, but 


Jou should also take nto consideration Figure 31. 95% and 80% confidence плећа of ransoms as а percentage of 
that only 4% ofthe complaints hadany elmrevenue 
actual loss this time, as opposed o 7% 


test Year, demand percentage. There were a few 

ин iy ia tases Goma SLES as 
Ar way we cance thes eae 
усан готина Me ee 
median amount of the initial ransom іп running risk scenarios with an 
madanani ot he transom па pont dro coats 
апанта total revenue win 50v associated wth a ransomware sack 
21 the demands being between 10. ОКЕ 
is quite a spread for the initial ransom is a good starting point. 


t er ransom demands ince ey are ey ta be higher revenue organizations. ^ n 


СІ5 Protecting devices Protecting accounts 
Secure Configuration of Enterprise ` Account Management [5] 
Controls for Assets and Software [4] Establish and Maintain an Inventory 


“Establish and Maintain a Secure of Accounts [81] 


consideration ЕСКЕРЕ E 


- Establish and Maintain a Secure 


Bearing in mind tho breadth of activit Configuration Process for Network Access Control Management [6] 
found within tis pattern and how Infrastructure [4.2] -Estabish an Access Granting/ 
actors leverage a wide collection of Implement and Manage a Firewall Revoking Process (6.1, 6.2] 
techniques and tactics, there аге a lot оп Servers [44] = Require MFA for Externaly- 

fof safeguards that organizations shouid -Implement and Manage a Firewall Exposed Applications [63] 
Consider implementing. Belowisasmall on End-User Devices [45] - Require MFA for Remote Network 
Subset of athe tings an organization | Access [6.4] 

сома do. They should serve as a Email and Web Browser 

‘starting point for building out your own Protections D ‘Security awareness 

пак assessments to help determine Use DNS Filtering Services 1921. programs 


what controls are appropriate to your 


‘organizations risk profile. үрелер 


= Deploy and Maintain Anti-Malware 
Software [101] 

-Configure Automatic Anti-Malware 
Signature Updates [10.2] 


‘Security Awareness and Skils 
Training [14] 


Continuous Vulnerability, 

Management [7] 

-Establish and Maintain a 
Vulnerability Management 
Process [71] 

- Establish and Maintain a 
Remediation Process [72] 


Data Recovery [T] 

- Establish and Maintain a Data 
Recovery Process [111] 

-Perform Automated Backups [12] 

- Protect Recovery Data [11.3] 

- Establish and Maintain an Isolated 
Instance of Recovery Data [14] 


МОМЕН or don't. is lke pretty ation. What it did accomplish, 


standard e-criminal stuff, И маз а jas to slightly confound 
Over the summer, we were teased Shift in tactics worth discussing. the differences that exist between 
ith the idea of a great cross For starters, the group didnt System Intrusion and Social 

ne volving the father of the actually deploy Ransomwaro in gineering patterns by introducing 
atomic bomb and a plasti all of these cases, even though a big chunk of data that ne 

For this year's ro it was previously partial to that in both cate 

a similar typo lactic. There the data, Clp us 

perhaps abit less ente myriad r means of separating the victims from. 
the hope of c 9 didn't choose this option, апа their hard-earned m 

thelr shar anything we'd suggest would be 

profits. ransomware groups have 

demonstrated a remarkable ability to 


evolve their tactics. 


One such recent evolution was ee 
snapshotted in the MOVEIt incident, Finance (52) 
mere threat act Intormation (1 
day attack (a previously unknown 

and unpatched vulnerability) in fle қарары 
"rofessonal (54) 


and holding it hostage oubli (92 

attack affected organizations from a 

variety of sectors, Educati 

far the larg (Figure 32), 
ounting fo of the 


beached organizations, according re 32. Top industries ound ia the MOVEN breach notation банан 
to ош breach notification dataset. о тиан вам 


Manufacturing (31-33) 


и што (Figure 


combine it with Extorti 
that it follows pretty much 
trend line. This indicat 
s that it may be tho same actors, 
and they are simply shifting tact 
rage the type of access 
"This combination did. 


Figure 33. Ransomware and Extortion breaches over time 


findings? section. 


The DBIR team le 
not code, во this report isnt the best Unfortunately, because of the nature As we gaze into cur crystal ball we 
place to technical "he plato fer systems 
elements. Nevertheless, what the need to be ве zero-day vulnerables being 
vulnerability essentially did was the fact that this raged by rans 
to allow the attackers to upload inerabllty at the time of exploit groups. If heir pr 
a backdoor through a crafty SQL ensured that there was nothing 
This backdoor victims could have done t 
lackers to perform it. There can be no doubt that thi 
Several diferent tasks such as a large-scale and impactful 
downloading data and manipulating attack; however, it wasn't without 
the applications legitimate us precedent. In fact, just a few months 
before, in January 2023, the same 
group had targeted another Не orat, for that matter keop. 
hosting platform resulting in arather a very close eye on the security 
busy month for Ransomware claims. patches those vendors release 
зла prioritize their application 


Social 


Engineering 


‘Summary 


Pretexting continues to be the leading 
‘cause of cybersecurity incidents, with 
actors targeting users with existing 
email chains and context. Extortion 
also grew dramatically because of 
the large-scale MOVEI incident. 


What is the same? 
Phishing and Pretexting via 

email continue to be the leading 
‘cause of incidents in this sector, 
accounting for 73% of breaches. 


Frequency 


‘Threat actors 


Actor motives 


Data 
compromised 


‘Tsar incidents, 
3,032 with confirmed 
dala disclosure. 


External (100: 
(breaches) 


у 


Financial 9599; 
Espionage (5%) 
(breaches) 


Credentials (50% 
Personal (41%), 
Internal (20%), 
Other (14%) 
(breaches) 


Relevant ATT&CK 
techniques 


Compromis unts: 1158: 
Email Accounts: T1586 


Establish Accounts: T158: 


Email A 


External Remote Services: T13; 


Internal Spearphishing: T1534 


Phishing: TIS 


*ishing in 
the wind 


In the cybersecurity world, ог “the 
cyber biz" as we сай it, we certainly 
love our catchy terminology. Terms 
‘such as whaling, smishing, quishing, 
tishing, vishing, wishing, pharming. 
‘snowshoaing® and plain old phishing 
are ever-present in the Social 
Engineering pattern. This makes sense 
because there are a lot of Vectors 

‘on which we need to educate our 
‘employees and end users, and we're 
positive that in another five years, there 
‘wil be new ones that we wil have to 
‘add to our list 


However, oven with the growth of these 
new vectors and types of attacks, we 
tend to see the core social tactics such 
as Pretexting and Phishing stil being 
used often (Figure 34). More than 40% 
о incidents involved Pratexting, and 
31% involved Phishing. Other tried-and- 
îrue tactics such as attacks coming in 
Via email, text and websites (Figure 35) 
aren't necessarily the most exciting, 
but any security professionals who 
have been around for any length of time 
have probably seen these contenders 
in some capacity over their careers. 
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Figure 34. Top Action varieties in Social 
Engineering incidents (л-3647) 


Regardless of the exact method that 
attackers use to reach organizations, 
the core tactics the вате: They seek 
to exploit our human nature and our 
willingness to trust and be helpful for 
their own gain, While these attacks 

all share that commonality, one rather 
significant difference is the scale and 
pervasiveness of these tactics 


First, the good news. We have not seen 
а dramatic rise in Pretexting like we 

did last year. However, it is also true 
that it hasn't decreased but instead 
has maintained its position as the top 
type of Social Engineering incident. Ав 
а quick reminder, when we tak about 
Pretexting, largely consider this as 

а stand-in for ВЕС, where attackers 
leverage existing email chains to 
convince victims to do something, such 
аз update an associated bank account 
with a deposit. 
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Figure 35. Top Action vectors In Social 
Engineering breaches (n=2,961) 


Low tech, _BesodonFBIICS complaints whereatransaction occurred 


high cost с 


ооо 
Unfortunately the bad news comes : 

next, which is that BECs continue to жо 

have a substantial financial impact on 

organizations. Figure 36 captures the 8 5959 

‘growth in terms of costs associated 5 

with BEC since early 2018. As we зорю 

‘mentioned above, there isn't any growth А 

this year as compared to last year, but “ 

neither has it decreased, ж — m9 юю па xm 
With the median transaction hovering 

around $50,000. Figure 36. Median transaction size for BECS 


Ono of the best things you can do. 
when you realize you are a victim of 
BEC fraud is to promptly work with 

law enforcement. Figure 37 shows the 
distributions of outcomes from the 
‘cases our data contributors at the FBI 
1С3“ have worked. In half of tho cases, 
they were able to recoup 79% or mare 
of the losses. On the less fortunate 
‘ide, 18% of the incidents had nothing 
frozen and potentially lost everything 
that was sent о the criminals. 


венац 1B% of incidens 
had nothing tozen. | Герн, отап пав) 


i 79% of losses frozen. 
mE ка жаван жа валаа а 
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Figure 37. Percent of losses frozen for recovery. 


са ps fusco 


Ihopethis 
threat finds 
you well. 


Our introvert selves were already 
мезгу of all these social "interactions 
‘even before these extortion-based 
attacks from ransomware groups 
‘busted through the door into the Social 
Engineering pattern. Social attacks, 
‘such as those involving Phishing, have 
опа played their part in ushering ina. 
ransomware deployment, as typified 

by the leveraging of those techniques 
in the ALPHV breach of MGM Resorts 
and other entertainment groups. But 
Given the shift in tacties by some 
‘groups, along with the Extortion action 
being the final result of the breach as 
‘opposed to an initial опе, this seemingly 
"System intrusion-y" attack now also. 
‘shows up in this pattern. 


Keep in mind, however, that Extortion 
isn't anything new in this pattern. We've 
‘seen various iterations of it from the. 
empty threats (‘We've hacked your 
phone and caught you doing NSFW 
Stuff?) to somewhat credible threats 
(Look us up. We're super-duper 
hackers thatil DDoS you”) to very 
credible threats ("Well leak the data 
ме took. Here are samples for you to 
Validate. This year, however, Extortion 
‘showed up in spades as а result of 

the МОМЕ breach, which affoctod 
organizations оп a relatively large scale 
and in an extremely public fashion. 
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Figure 38. Steps тт Socal Engineering incidents 


This is plainly visible In the steps to 
breaches chart (Figure 38). As you can 
soe, there has been a dramatic increase 
in compromising servers via Hacking. 
Given the prevalence of these types of 
attacks, we recommend discussions 
with leadership to determine what 

the course of action should be if 

they occur in your organization. 


School of [21 seconds] 
tenia Mule Ts 


‘This is probably cliché at this point, 
but we're believers that the first ine 
о! defense for any organization isn't (28 seconds] 

the castrametation” of their systems ЖЕЛІСІ 

but the education of their key staf, E time to data entry after click 
including end users? Fortunately, 

this isnt simply us standing on our 
“user-amareness" soapbox. We have n . o 

both figures and hard numbers to ° E E СЈ = 
heip quantify ош stance. The first 


time to click 


lesson to learn is that Phishing attacks Figure 39. Time between emali clicked and data entered 
happen fast. The median time to click 

опа malicious link after the тай е 

‘opened is 21 seconds, and then it aa 
takes only another 28 seconds to > 
enter the data (Figure 39). That leads ~ 
to a frightening finding: The median 

time for users to fall for phishing 

emails is less than 60 seconds. o — патак 
Some good news is that, as an industry, 
же seem to be getting better with 
regard to phishing test reporting. 

More than 20% of users identified and 
reported phishing per engagement, 
including 119% of the users who did click 
the email. As Figure 40 ilustrates, this 
is another impressive improvement and 
‘one that we desperately need in order 


- союш 


fa catch up with tha previous year's Figure 40, Phishing өтер report rate by click status 
increases in Phishing and Pretexting. 


‘That leads to a frightening 
finding: The median time for 


users to fall for phishing emails 
is less than 60 seconds. 


CIS 
Controls for 
consideration 


There are а fair number of controls to 
consider when confronting this complex 
threat, and all of them have pros and 
cons. Due to the strong human element 
associated with this pattern, many of 
the controls pertain to helping users 
detect and report attacks as well as 
protecting their user accounts in the 
‘event that they fal victim to a phishing 
attack. Lastly, due to the importance 

of the role played by law enforcement 
in responding to ВЕСУ, itis key to have 
plans and contacts already in place. 


Protect accounts 


Account Management [S] 
- Establish and Maintain ал. 
Inventory of Accounts [51] 

-Disable Dormant Accounts [5.3] 


Access Control Management [6] 
- Establish an Access Granting/ 
Rovoking Process [61,62] 
-Require MFA for Externally- 
Exposed Applications [6:3] 
-Require MFA for Remoto Network 
Access [6.4] 


Security awareness 
programs 


Security Awareness and Skills 
Training [14] 


Although not part of the CIS Controls, 


а special focus should be placed on 
ВЕС and processes associated with 
updating bank accounts. 


Managing incident response. 


"Incident Response Management [17] 

= Designate Personnel to Manage 
Incident Handling [171] 

= Establish and Maintain Contact 
Information for Reporting Security 
Incidents [172] 

-Establish and Maintain an 
Enterprise Process for Reporting 
Incidents [173] 


Basic Web 
Application Attacks 


‘Summary Frequency 1897 поема, 
ен Bat with confirmed Relevant ATT&CK 

Threat actors continue to take kde conte 
Ange of cras th Geta techniques 
Simplistic and саз guessable тй Pasta iON 
повета wa brute forcing internal (99, Brute Force: ТПО 
them, buying them or reusing Мире (99) credential Stuffing: 
thom from previous breaches. кыы самалы 

Actor motives Financial (855 
Whatis the same? Espionage (15%) 

(breaches) pee 

Financialy motivated external т 
actors continue to target credentials Бат Srednia (T) ЕСІ 
and personal information, compromised Personal (58%, 0 


Other (29%), 
Internal (17%) 
(breaches) 


External Remot 


Valid Accounts: T1078 
-Default Accounts: 
T1078.001 


тїої8 оо: 


Use Alternate Authentication 
Material TIS 


What if we were to tell you there is 
perhaps no pattem that is as complex, 
multifaceted and, quite frankly, riveting 
to read about as the Basic Web 
Application Attacks pattern? We'd 

be pulling your leg, thats what. This 
pattern is basically just tke it sounds: 
typically uncomplicated attacks against 
either unprotected or (more often) 
poorly protected web applications 

that grant the criminal a foothold 
Into an organization's environment. If 
the System Intrusion pattern can be 
thought of as a sophisticated bank” 
holst,” this pattern presents us with 

а good visualization of Occam's razor 
in action. It has fewer steps and в 
possibly the simplest and shortest 

path from point A to point B. Like many 
things that are not overly complicated, it 
works extremely well 


Last year, this type of attack accounted 
for one-quarter of all breaches. This 
Year, however, our dataset shows 
just over 8% of breaches in the Basic 
Web Application Attacks pattern. As 
is always the case in this pattern, the 
attacker gains access via hacking by 
the Use of stolen credentials (77%) 
Brute force (usually easily guessable 
passwords) (21%) or the Exploit vuln 
action (13%) (Figure 41). 


Beware devs 
bearing crypto. 


Interestinly, approximately 20% of 
the malware inthis pattern consists of 
cryptocurrency mining Malware. Upon 
further inspection, we found a small 
cluster of Nation-state actors that 
were leveraging known vulnerabilities 
and eryptocurrency mining malware 
(and Ransomware) to make a few extra 
dollars for their country. Not something 
particularly revolutionary but always 
Interesting to seo tactics that are more 
than a decade old stil hold up. 


Use otstoncreds 
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Figure 41. Top Hacking actions in Basic: 
Web Application Attacks breaches 
(егіз) 


Like a one-stze-fis-ll gas station 
baseball cap ("Keep on Truckin"), 

any organization can fit into the Basic. 
Web Application Attacks pattern, 

but it won't look too good on you. 

The Financial and Insurance (18%): 
Information (14%} and Professional, 
Scientific and Technical Services 
(13%) industries make up the top 

three verticals affected by Basic Web 
Application Attacks, but we see these 
attacks in most other industries as well 
There is also no substantial difference 
between large organizations (65%) and 
‘small organizations (47%) In the Basic. 
Web Application Attacks pattern, 


Attack of 
the stolen 
credentials 


It youre a regular reader you may 
have realized by now that there are a 
great many incidents in our dataset 
that leverage stolen credentials. Over 
the past 10 years, stolen credentials 
have appeared in almost one-third 
(81%) of breaches (Figure 42). Ergo, 
credentials are a core component of 
compromising organizations. However, 
While we know this to e a fact, there 
are alot of things we don't know about 
these credentials: Where do they 
‘come from, how did they get here and 
Wil we ever know the ІШІ story?” 
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Figure 42. Тор Action varieties since — 
2013 (n=35,970) 


Име ate to understand where 
stolen credentials come from, we 

must consider the different types 

‘of credential attacks that exist. 
Unsurprisingly, Phishing is the most 
соттоп eredential-related attack 

that we see in our dataset and 
accounts for 14% of breaches involving 
Credentials. Social Engineering is 
extremely common and remarkably 
effective because it targets individuals 
versus systems. It's much easier to 
harden а system than itis to harden ап 
Individual as our Social Engineering 
section illustrated. Another basic type 
of credential attack is Brute force 
(guessing all the passwords), and while 
itis an effective tool in the attacker's 
arsenal, К appears in only 2% of 
breaches this year. This technique is 
‘most successful when individuals ог 
applications use weak or, even worse, 
default credentials. A silver lining here is 
that Brute force attacks have existed as 
Jong as there has been a login option, so. 
a multitude of mitigations are commonly. 
available, such as enforcing password 
complexity (ick) and length (slightly less 
Jick) as well as limiting how quickly and 
how often logins can be attompted. 


Aracktpe. 


Nocountry for 
old credentials 


Credential stufing is Brute force's more 
hip cousin." While these attacks have 
alot in common, credential stuffing 
affords the attacker a greater chance 
of success. That's because rather than 
guessing ай possible combinations, 
credential stuffing leverages 
combinations of usernames/emails and 
passwords that are already known to 
exist because they were harvested from 
previous breaches. Recent high-profile 
Cases have occurred in which attackers 
leveraged this technique to gain access 
to highly personal user data. 


These types of attacks are тоге 
Insidious because they spread the 
attack across various accounts and 

IP addresses, thus making them 

more dificult to prevent. if your 
organization has a high number of 
customers, especially consumer facing 
Web applications and application 
programming interfaces (APIS), you 
should consider instituting robust 
protections beforo attackers use a tool 
and а free ist of proxies о attempt. 
‘combinations they found in a chat site. 
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Figure 43. Distribution of web application attack types 


25 The tomer becomes more secure, майе tne latter simply becomes jaded. 


76 Амди sunglasses ше ned 


TP Not unike Бре (Чо DBIA would be complete without at eas ane Sasquatch reference) 


Speaking of APIs, we can examine the 
prevalence of those typos of attacks 

їп sampled detection data from our 

АРІ firewall data partners in Figure 43. 
As expected, credential stuffing is 

the most commonly identified attack, 
but itis often commingled with Brute 
force. Another interesting result from 
this dataset was that the prevalence of 
credential abuse-like attacks amounted 
to опу 15% of attacks, less than 

half of what we see in Use of stolen 
credentials in the incident dataset. This 
makes sense because there is much 
moro to try to exploit on APIs than just 
credentials. 


But what if you don't have consumer 
facing web applications or APIs? What 
И you already enforce strict password 
policies, such as a monthly rotation 

of 24-charactor passwords? Surely 
Such a fate could not befall you, right? 
Unfortunately, password stealers 

сап stil snatch your data. While we 
admittedly do not see password. 
dumpers too often in our dataset (2% 
of breaches) itis important to keep in 
mind that we can only report on those 
things into which we have visibility, and 
this typo of Malware ikes to reside in 
places where there's limited visibility” 
{such as personal computers, not work- 
related ones). 


To get an idea of how pervasive this 
Issue might be, we took a look at tho 
marketplaces dedicated to selling 

and reseling credentials and cookies 
collected from these password 
stealers. Our sample was only two days 
from one market: nevertheless, we 
found more than a thousand credentials 
рег day being posted for sale with an. 
average price of $10. 
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Figure 44. Percentage of stealer postings without major social media accounts isted 


cradentials feted, which could ba an Of course, simply uploading a package Іп addition, there were malicious. 
indication that many of the systems. is not enough, it still requires someone packages that leveraged typosquatting, 
aren't for personal use. Figure 44 to download it.*° Figure 45 captures This is when the developer of the 
‘shows the percentage of postings ‘some of the more popular approaches: malware posts the package with a 
by stealer family name without social found in an npm repository." The similar name as a popular package 
тайа accounts listad. most common type we found in the in the hopes that someone would 
davadorprecosyiemseremalcous aceldenaly mstype the package rame 

Anane source of password stealers packages that would advertise ien attempting to install to legitimate 
are braves postedon pubic [hemseives as free Video game package. As a group of authors who 
терозоңов For the non- developors о urrency generators. These иди the Ealacivly wouid Be unemployed I 
анемона ыта сооз ОШБУ falke oare clever enough to аон, fE vere not or пе existence of speli- 

қан айне E how to install and download the code check, we can see this being a relatively 
not doing ir society has led to people put not suficient iever o ева fede tactic 

ап берар that if it sounds too good to be true, it 

an import simply by saying “pip Exi 


install ibrary-of-my-choice" or “install 
packages ('ibrary-of-my-choice 
тапа download the library they tind 
posted, Needless to say, a very real 
risk with this approach is that you're 


taking it оп faith that the Ibraries you LM | 1| 
downloading are free trom malware. 


Human nature being what it is, that is текені 
often not the case, and the гане 

actas a means of distributing malware. 
Fortunately, there are numerous. 
‘companies that actively sean the 
uploaded libraries to identify possible. 
‘malware. When malicious packages are E 


СЕ 


found, they often consist of information. ewe, 
Stealers (shocker) 


Figure 45, Malicious npm packages by Social Engineering technique 
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targeted unat име ard ы ен GIS 
3anagesfhewsometeonoees СОпбісегайоп 
fore checa for priate ones tho - 

attackers knon thatorganizatons ао Mitigating against stolen 


Using the library “super-cool-internal- credentials 

library; which is stored in their internal 

repository, the attackers can create Account Management [5] 

a library оп а public repository called “Establish and Maintain an 
'super-coolnternal-lbrary and the Inventory of Accounts [511 

tooling may check the public repo = Disable Dormant Accounts [5.3] 
irst before looking at the internal —— 

ores Fortunate Iere are various AeemssConud Manageron [6] 

programming best practices that can Establish an Access Granting/ 

help mitigate this, alongside all the Revoking Process (61, 6.2] 

reat companies that are out there -Require MFA for Externally- 

helping protect us from these threats, Exposed Applications [6.3] 

-Require MFA for Remote Network 

Take a breather after reading this Access [6.4] 

section: there seem to be a lot of 

landmines that you have to avoid to Mitigating against 

help keep your organization safe from ES 

credential attacks. Thisisnotnew.We Vulnerability exploitation 

{and many others) have said it before: ‘Continuous Vulnerabilty 

Mulitactor authentication (MFA) goesa Management [7] 

long way toward mitigating these types "Establish and Maintain a 

of attacks. For that matter, so does not Vulnerability Management 

letting your kids use your corporate Process [71] 

computer to find ways of making -Establish and Maintain a 

free V-Bucks. As with anything else Remediation Process [72] 

security related, the most effective = Perform Automated Operating 

Controis are typically the ones that System Patch Management [73] 

leverage the human element along with -Perform Automated Application 

technical resources. Patch Management [74] 


Miscellaneous 


Errors 


‘Summary 


Errors have increased substantially 
this year, possibly indicating a rise in 
Carelessnoss, although it may also 
reflect increased data visibility with 
new contributors. More than 50% of. 
errors were the result of Misdelvory, 
continuing last year's trend, while other 
errors, such as Disposal, are declining. 
End-users now account for 87% of 
errors, emphasizing the need for 
‘universal error-catching controls 
across industries. 


What is the same? 


We can always count on people making 
mistakes. The categories of mistakes 
they make are consistent year over 
year, and while some Error varieties 
have been decreasing, the ranking of 
frequency remains the same. 


Frequency — 2678 incidents, _ 
2671 with confirmed 


data disclosure 


Threat actors internal (100%) 


(breaches) 


Data Personal (945, 


compromised Internal (34%), 
Bank (1496) 
Other (12%) 
(reaches) 


jure 46. Top Action varieties т 
Miscellaneous Errors breaches 
(n-2.586) 


84 Look around at your coworkers, and use your best judgment to answer that question 


I know exactly 
what т doing. 


їп our fast-paced and hectic wort, itis 
easy to make the occasional mistake. 
Tho кеу is to make sure that those 
errors remain occasional and do not 
become habitual. Employees might be 
inching toward the latter state given 
the fact that we saw approximately five 
times as many Errorrelated breaches 
this year as we did in last years report. 
Does this substantial increase mean 
that incompetence and inattention to 
detail are booming? Possibly, but it 
is also, as stated earlier in this report, 
indicative of the generosity of our 
data-sharing partners. The greater the 
number of breaches that we examine, 
the higher these percentages become. 
More than 50% of errors in 2023 
resulted from Misdellvery (sending 
something to the wrong recipient), as 
shown in Figure 4б. This was also the 
No. 1 category in last year's report. 


Misconfiguration is the next most 
common error and was seen in 
approximately 10% of breaches. 
Misconfiguration has been on а 
downward trend for the last three 
Years. There are a few possible 
‘explanations for this. Chief among 
thom is that (thankfully) many systems 
аге becoming тоге secure by default, 
making the practice of standing up. 
new tech without reading the manual 

a less risky proposal. Other factors 
‘may include that security researchers 
are not spending as much time on. 
finding these systems with their screen 
doors flapping inthe wind, and, lastly, 


criminals may be using the same tools 
historically utlized by researchers to 
discover these errors and exploiting 
them lo steal data, which would 

result in the attack showing up with 

a Hacking action rather than Error. 


Classification errors, Publishing 
errors and Gaffes (verbal sips) are 

all relatively tightly packed in order of 
‘mention. Disposal errors continue to 
decline ever so slightly (as has been 
the general trend for the last several 
years) and accounted for just over 

196 of the cases in this pattern. Iis 
unclear whether more attention has 
been paid to this matter or employees 
have simply gotten bettor at burning 
records in a barrel in the parking lot. 


Figure 47 shows one rather drastic 
change in this pattern related to actors: 
End-user accounted for 87% of errors 
as opposed to 20% in last years report, 
While System administrators dropped 

to only 11% (from 46% last year). This 
drop is in large part the result of the 
corresponding rise in Misdelvory-— 

it takes a System administrator to 
misconfigure, but any old End-user 

‘can misdellver. Power to the people! 


Figure 47. Top Actor varetes —— 
Miscellaneous Errors breaches 
(n-2,280] 
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Figure 48. Top industries n. 
Miscellaneous Errors breaches 
(922671) 


Lastly, the Miscellaneous Errors 
pattern shows a relative diverso array 
of industry types (Figure 48), with 
Healthcare and Public Administration 
at the top (understandably, given 
reporting requirements} and a good 
showing from other Industries such as 
Financial and insurance: Education; 
and Professional, Scientific and 
Technical Services. This illustrates 
the important fact that carelessness 
is somewhat of a universal trait, so 
employers in any vertical should 
ensure that their controls will catch 
these kinds of errors early. 


СІ5 
Controls for 
consideration 


Control data 


Data Protection [3] 

- Establish and Maintain a Data 
Management Process [31] 

- Establish and Maintain a Data 
Inventory [32] 

-Configure Data Access Control 
Lists [33] 

-Enforce Data Retention [3.4] 

- Securely Dispose of Data [3.5] 

= Segment Data Processing and 
Storage Based on Sensitivity [3.12] 

-Deploy a Data Loss Prevention 
Solution [318] 


Secure infrastructure 


Continuous Vulnerability 

Management [7] 

-Perform Automated Vulnerability 
Scans of Externally-Exposed 
Enterprise Assets [76] 


‘Application Software Security [16] 

-Use Standard Hardening 
Configuration Templates for 
Application Infrastructure [16.7]. 

- Apply Secure Design Principles in 
Application Architectures [16.10] 


Train employees. 


Security Awareness and Skils 

Training [14] 

= Train Workforce on Data Handling 
Best Practices [14.4] 

- Train Workforce Members on 
Causes of Unintentional Data 
Exposure [14.5] 


‘Application Software Security [16] 

= Train Developers in Application 
Security Concepts and Secure 
Coding 1659] 


Denial of 
Service 


‘Summary Frequency 16843 incidents. 
3 with confirmed data. 
Denial of Service attacks can target асове 
diferent points of infrastructure and wil 
‘manifest themselves in several forms  Threatactors External 000%) 
that organizations need to be prepared fall incidents) 
to handle. 


What is the same? 
Denial of Service attacks continue 
to be ubiquitous and the top pattern 


for incidents. 
оъ aos юк өз 805 00% Another year, another victory lap. 
Doniaiot Sarwo to our running champion, Denial 


Sf Service Figure shows hs 
[E pattern being responsie or mere 


than 50% of incidents analyzed this 


Our ongoing analysis of content 
dolivery network (CDN)-monitored, web 
application-focused Denial of Service 
attacks shows that even though the 
median attack size has reduced slightly 
from 22 gigabits per second (Gbps) 
1916 Gbps, the 97.5th percentile of 
those attacks" increased to 170 Gbps 
from the previous high of 124 Gbps. 
Figure 50 showcases the data and 

the other percentile break points Ike 
the more realistic and grounded 90th 
percentiles. Those types of attacks 

are usually short duration, with large 
Volumes 50% of those attacks 

are less than five minutes long, 


However, this year, we would ike 
to try something different: Those 

precision-targeted attacks are very 
high volume. Itis interesting to see 


irc cen. уеаг This pattern has been the the contrast to the impact of general 

[uc] ‘most prevalent one for several years distributed DoS (DDoS) filtering on 
now, and you don't have to think very the ISP evel, where itis necessary to 

ЕТІ” hard to understand why: Denial of mitigate against a much wider variety 

ча Service attacks are relatively cheap of attacks and is prone to collateral 

E to executo, апа itis actuali tay damage rom the high-volume ones, 
‘easy for them to be successful” at 

Масато блот. least until an organization's defenses 

Р are activated to mitigate them. 

Basic Web Appleton tac 

Реде Misuse 

педала биво Assets 

куніне 

Figure 49. Patterns а newants Figure 50. Bits per second n CDN DDoS incidents Y 107137 

(530458) 


ва No electric looltbrushes were harmed during this observed growth of the Denial of Service pattern- 


57 To some degree ol negl success 


Ба Ога wee to сай, ве анов worst-case scenario ha а not ha weird outer messing up your data analysis” 


Figures 51 and 52 represent the 
distribution of both bits per second 

and packets per second distribution of 
ISP-level collateral attacks all over the 
мога This dataset includes attacks 
‘on ISPs themselves; enterprises 

that paid for DDoS protection from. 

their ISPs; and even Individual users. 
with broadband, mobile, wireless ог 
‘satelite It's clear that these are much 
‘smaller in size because the volume for 
this diverso group would not need to bo. 
as big as for enterprises. Those are also 
longer duration attacks, with the median 
attack time being around nine minutos.” 
Allin ай, this class of Denial of Service 
attacks might be more representative 
of the challenges a non-e-commerce 
ог heavily extranet service-oriented 
‘organization might face. 


‘Additionally, our subject matter exports. 
(SMEs) continue to report the growth of 
low-volume, persistent attacks on high- 
Interaction services such as Domain 
Name System (DNS). When you want to 
take someone off the internet, there is 
‘more than one way to peel a potato. 


At the end of the day, our 
‘recommendation remains the samo 
asin the previous years. There is 
relatively minimal setup necessary 
for a DoS attack to take place, 

50 organizations should consider 
айпа some sort of automated or 
semi-automated protection system 
to help mitigate those. There is 
nota lot more to be done than to 
Бе prepared for the eventuality of. 
some threat actor wanting to sever 
you from the internet for a while. To 
think otherwise is to lve in белігі. 
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Figure 82. Packets por second in ISP-lovol DDoS incidents 
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Lost and 
Stolen Assets 


Summary ы UU. Now where did 


181 with confirmed 


percantage of casee resting n ea tee I put that? 
Eonfmed data breaches nis patter, Threatactors eral BW. 
onal ра. Utyeuve evar bean rough the ne 
Foil a airport security where you ad o 
o Tenor your тоне devo aka 
Млави Financial (92%— off your shoes and throw away that 
Devices are still much more likely to be 100%), Convenience/ | bottle of water you weren't finished 
lost than stolen. Laptops continue to be Espionage/Fear/Fun/ with, all while masking the amount 
a risk for loss in particular. Grudge/Ideology/ of anxiety you were feeling to avoid 
Other/Socondary triggering an enhanced securty 
(ое each arsana, you know tata Sess 
teaches) expences te wonder tome 


go missing while people aro away 


Bata cca meal TR from their usual environment and 

compromised Interna potentially distracted. Despite having 
Bank (25%) wonderful data storage capabilites 
Other (7%) and an ever-smalle size, User Devices 
(breaches) are the most ikely to go missing— 


whether by ili wil or inattention. Chief 
among them is the ubiquitous laptop, 
апа we've seen an increase of those 
events this year after a brief downturn 
in 2022, as shown in Figure 53. 


Figure 53. Top Assat varios over tme Та Lost and Staten Assets 


СІ5 
Controls for 
consideration 


Protect data at rest. 


Data Protection [3] 

- Encrypt Data on End-User 
Devices [36] 

-Encrypt Data on Removable 
Media [3.9] 


‘Secure Configuration of Enterprise. 
Assets and Software [4] 
“Enforce Automatic Device 


Lockout on Portable End-User 
Devices [410] 


Figure 54. Top Action varieties over Uma In Lost and Stolen Assets 


As we have seen consistently in our 
dataset, assets are vastly more likely 
tobe lost than stolen. Figure 54 shows 
that this was not always the case. 

Until 2021, we saw more items stolen, 
‘but perhaps given the pandemic's 
lessening of people out minging, the 
theft opportunities were reduced. That 
aid, we stil see this trend despite 
most companies returning to a more 
traditional in-person work environment, 
зо there could be something else at 
play here. 


-Enforco Remote Wipe Capability on 
Portable End-User Devices [411] 


This year we saw a higher percentage 
of incidents involving Assets in this 
Pattern causing confirmed data 
breaches as wel, with last year showing 
about 8% confirmed breaches and 

this year showing a surprising 97%. 


The important thing is to have 
protections on assets, where 
Possible, that can stop a lost or 
stolen device from becoming a 
reportable data breach. Given the 
prevalence of this pattern, it seems 
that someone lost that тето. 


Privilege 
Misuse 


‘Summary Frequency 897 incidens, Н 


854 with confirmed 


Employee betrayal poses a significant data disclosure. 


threat because employees steal 


data for personal benefit, sometimes Threatactors Internal (OO%™, 7” 
colluding with External actors. Personal External (59, 

data is the prime target, along with Multiple (19) 

Internal information. While we saw Жем) 

spike in Fraudulent transactions 

last year, that has once again leveled Actor motives Financial (88%), 

out andis a lesser concern. Espionage (46%), 


Grudge (6%), 
Ideology (2%), 

What is the same? Other о) 

Internal actors are again largely (reaches) 


working on their own in this pattern. Data Personal e3 


The Financial motivation remains itera 
in ascension, while Espionage is кола омен reir i 


занат second Personal dta e Sark (a 
Sh the main targeted data уре reaches 


Fool me once. 


Companies trust thelr employees. They 
trust them to do their jobs, raise issues 
that need attention and generally have 
the organizations best interests at 
heart. And in a perfect world, everyone 
would go along with this plan. But in 
this pattern, we see that is not always 
the case. Sometimes employees are in 
itfor their own benefit at the expense 
of the company? Sometimes the 
relationship just isnt working out, and 
the employee feels entitled to the data 
that would make their landing at their 
next employer so much more attractive. 
Аз a consequence of actions such as 
these, we can provide the data breach 
analysis found in this pattern. Nobody 
"wants to believe their employees vill 
do them dirty, but if it happens, do you 
know how your organization would 
detect it? If you dont, youre not alone, 
апа it may have already happened. 


Shame on you. 


What motivates employees to steal 
data? In our experience, itis largely. 
Financial. Whether they plan to use 
the data to commit financial crimes 
ог just help them get a log up in a 
now gig, it tends to be for their own 
direct benefit. We do also see the 
Espionage motive where employees. 
take their il-gotten gains to a direct 
competitor ог even use them to start 
their own competing company. And 
they don't always work alone. 


їп our prior report, we saw collusion — 
multiple actors working in concert to 
achieve tho goal of the breach -at 7%, 
which, while nowhere near the highs we 
‘saw back in 2019, was stil a surprise. 
This year, things seem to have gone 
back to normal, and we are seeing 
collusion dropping to less than 1% of 
breaches. This is good news because 
{ts bad enough when employees start 
‘making off with company data, but 
When they team up with outsiders, 
chaos ensues, 


As Figure 55 shows, employees аге 
largely taking Personal data- this is 
пкају about customers, since names, 
contact info and other such things 
could be quite useful for both starting 

a new competing enterprise ог for 
‘committing financial crimes. We saw 
Internal data show a bit of a spike 

this year as well, which would include 
sensitive plans and intellectual property 
that would attract the Espionage- 
‘motivated employee. Finaly, Banking 
data is remaining mostly steady over 
time as a targeted data type. 


юв 


Last year we observed a sharp uptick 
їп the Fraudulent transaction, so we 
Wanted lo take а look this year to 
determine whether it was the start of a 
trend. This is commonly the end game 
of the BEC attack where attackers 
socially engineer someone into sending 
them cash electronically. Internal 
actors already have access to systems 
Containing that capability, and they 
made good use of it last year. We are 
happy to report that this trend has not 
continued. Despite spiking о almost 
15% in last years data it has returned 
o a placid 3% this year. 


LI 


СІ5 
Controls for 
consideration 


Manage access 


‘Secure Configuration of Enterprise 
‘Assets and Software [4] 
Establish and Maintain a Secure 
Configuration Process |421 
- Manage Default Accounts 
оп Enterprise Assets and 
‘Software [47] 


Account Management [5] 

= Disable Dormant Accounts [5:3] 

= Restrict Administrator Privileges 
то Dedicated Administrator 
‘Accounts [541 


Access Control Management [6] 

Establish an Access Granting 
Process [81] 

- Establish an Access Revoking 
Process [6.2] 


та 


Figure 55. Тор Gonfidentialty data varieties over tine In Privilege Misuse breaches 


Industries 


Industries: 
Introduction 


Greetings! if you are just stepping onto the DBIR scene, please consider this your 
‘orientation. For our more seasoned veterans, feel ree to simply breeze равї this 
terrain should be familar ground. 


As mentioned previously, in this report we examined 30,458 incidents, of which 
10,626 were confirmed data breaches. We wil view both of these categories in a 
more granular fashion, along with how they played out in the various industries and 
regions, in the following sections of the report. As we have mentioned in previous 
editions, what keeps one industry tossing and turning at night may not even register 
‘asa blip on another's radar. It boils down to attack surfaces the prime real estate 
for cyber malfeasance. When you factor in the nuances of specific types of threat 
actors, the technological infrastructures underpinning each sector, the type of data 
ал organization handles and retains, and how folks access and use that data, you've 
mixed a potent cocktail of security complexities. 


For example, consider a tech behemoth swimming in the digital sea of mobile 
devices and their respective apps. Из risk profile looks markedly different from 

that of a boutique establishment relying on a point-of-sale system or a simple 
‘e-commerce platform supported by its vendor. Furthermore, these findings are also 
influenced by reporting requirements, which means that industries may experience 
varying levels of scrutiny from that perspective. Finally, smaller sample sizes for 
given industries are also an important factor that comes into play with regard to 
statistical analysis (smaller sample sizes result in lessened statistical confidence). 
Therefore, wo ask readers to refrain from rushing to conclusions about an industry's 
security posture based solely on incident reports. 


If you are here for insights tailored to your industry, we recommend that you spend 
time looking at the top patterns for your industry and reading up on the relevant. 
pattern sections of the report. Just to let you know, the DBIR aligns with the North 
American Industry Classification System (NAICS) to determine which industry an 
organization belongs to, More detail on this can be found in Appendix A 
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Figure 56. incidents by industry 
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Figure 57. Breaches by industry 


Accommodation and 
Food Services:. 


Frequency 220 incidents, 


106 with confirmed 
data disclosure. 


Toppattems System Intrusion, 


Social Engineering 
and Basic Web 
Application Attacks 
represent 92% of 
breaches 


Threat actors Exomd BA —— 


Internal (9%), 
Multiple (1%) 
(breaches) 


Actor motives Financial (100%) 


(breaches) 


Data Credentials (50%), 


compromised Personal (28%), 
Payment (19%), 
System (199%), 
Other (16%) 
(breaches) 


Ransomware and 
social attacks 
continue to bea 
persistent problem 
within this industry, 
accounting for 35% 
of incidents. 


Summary 
Social Engineering has increased 
dramaticaly and now accounts for 
25% of incidents in this sector, wth 
Pretexting more than doubling trom 
the previous year and reporting 20% 
of incidents 


Spilling th Asi accidental handing over your 
pilling the hard-earned money to cali wasnt 
toying enough, organisations is 
ytes Sector ао have to contend with the 
Tides quest равне ransomware 
тне is always something cozyand ал Ransomware continues to be 
БЕТТЕР Ane of te top aeon varieties ard 
shop youcal your second oma, and pas bean forth lant tee Years 
Attackers count agree more The However the only good news that 
fecommodation and Pood Sordces tant trons i eur and 
faaue conima to face the same hold steady at 10% ofa loans 
ore treats па betore wih Systm 
iso Socal Engncerng ard Basie In other news, Payment card data 
Web Application Attacks leading the being compromised has dropped to an 
pack Аа Мыне кше aa heres Mia lo rom 41% of breaches in 
Ben a пош aroase socal 2023 to now oniy 19%: This decrease 
engineering attacks from шатун. Algne wel wiih the overali decrease of 
‘Tels lrgeyaresulelthoinrease Payment card data being targeted hat 
тоа инеп naa morethan We ve seon across varus industries, 
Goublod over Ме lastyear ana now Which may be Indicating that shits 
Scoounts lor 20% al a тойан. n chip technology might be causing 


threat actors to focus their efforts on 
other approaches. A nice bit of good 
news to enjoy with your cappuccino. 


Figure 58. Top patterns in Accommodation and Food Services Industry mcidents 


Educational 
Services :. 
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Actor motives Financial (98%), Into the Advanced Piacement-level transfer software that, when exploited, 
Espionage (2%) breach findings, let's cover the more caused so much trouble for so many 
(breaches) remedial Error section. Figure 59 over the last year—was definitely 
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‘Summary criminals pay off their student loans, 


rather rapidly 


Errors of various types committed 
by internal actors and Extortion 
from external threat actors 
‘continue to constitute the 
curriculum of this industry 


Figure 59. Top pattems n Educational Services Industry breaches 


Financial and 
Insurance:. 


Frequency 


Тор pattems 


‘Threat actors 


Actor motives 


Data 
‘compromised 


Whatis the 


‘Summary 
System intrusion 


3248 подела 
1418 with confirmed 
dala disclosure. 


System intrusion, 
Miscellaneous Errors 
and Social 
Engineering 
represent 78% of 
breaches 


External 69%, 
Internal (31%) 
(breaches) 


Financial (05%), 
Espionage (5%) 
(breaches) 


Personal (75%), 
Other (30%), 
Bank (2799), 
Credentials (22%) 
(breaches) 


Miscellanaous Errors 
continue to plague 
this industry. As it did 
last year, Misdelivery 
presents an ongoing 
Challenge for this 
sector. 


has overtaken 


Miscellaneous Errors and Basic Web 
Application Attacks as the primary 
threat in Financial and Insurance this 
year, indicating a shift toward more 


complex attacks, 


accompanied by a 


rise in Social Engineering. Increased 
visibility into the Europe, Middle East 


and Africa (EMEA) region shows us that 


Ransomware attacks are alive and well 


there as well 


Highasa 
Georgia pine 


I our dataset is any indicator, Interest 
rates and premiums aren’ the only things 
rising in the Financial and Insurance 
industry The System intrusion pattern, 
where most ofthe more complex 
attacks typically reside, has risen from 
its third-place position ast year to first 
расе this year (Figure 60). The Social 
Engineering pattern, also typically a sign 
ot increased complexity, is now n the top 


three pattems as well, while the more 
simplistic Basic Web Application Attacks 
last year's champion) has fallen entirely 
of the podium. This is in relatively stark 
contrast to last year's findings in which 
we pointed out that the adversaries 
weren't having to expend a great deal of 
effort to gain access to corporate data. 
In this vertical. These changes seem 

to indicate that attackers are being 
forced to work a bit harder in order to 
compromise organizations in this sector. 
Thats good news for everybody-— 
except the threat actor, of course. 


Systamiinion 


Figure 60. Top patterns n Financial and insurance ndustry breaches 


Lest they make it simply too difficult 
for criminals, this vertical remains 
consistent in committing Errors. 

As was almost universally the case 
this year, Misdelivery was quite 
prominent (Figure 61 and, along with 
Misconfiguration and Loss, made up 
‘most of the errors in this industry. 


Has any action 
been taken? 


With regard to Action varieties, they 
teli the story of the patterns relatively 
clearly. Ransomware and the Use 

of stolen credentials, the bread and 
butter of the System Intrusion pattern, 
are very common in this industry 

(апа help boost that 95% Financial 
motive). A о! those stolen credentials 
have to come from somewhere, and 
that somewhere is frequently from 
social attacks such as Phishing and 
Pretexting. Of course credentials can 
also come from a multitude of other 
sources such as Brute force attacks 
{although it was quite low on the st for 
hacking actions) or simply harvested 
and reused from another breach, 


Lastly, but certainly worthy of mention, 
is that 8% of the cases in our incident 
dataset targeting this sector were. 
рай of the whirlwind of the MOVEIL 
breach, which shows how far-reaching 
‘supply chain breaches can be. 


Figure 61. Top Error varieties in 
Financial and Insurance industry 
breaches (n-250) 


Healthcare: 


Frequency 


Top pattems 


‘Threat actors 


Actor motives 


Data 
compromised 


Whatis the 


‘Summary 


13378 incidents, 
1220 with confirmed 
data disclosure 


Miscellaneous Errors 
Privilege Misuse апа 
System Intrusion 
represent 83% of 
breaches 


Internal (70%), 
External (30%) 
(breaches) 


Financial (889%), 
Espionage (1%) 
(breaches) 


Personal (75%), 
Internal (51%), 
Other (25%) 
Credentials (13%) 
reaches) 


System Intrusion 
breaches remain in 
the top three attack 
pattems. 


This year's Healthcare sector analysis 
reveals significant shifts compared to 
previous years. Insiders deliberately 
causing breaches have surged back 


into second place after a steady decline 


since 2018. Interestingly, Personal data. 
has eclipsed Medical data as the 
preferred target for threat actors. 


Their condition eaves setin ne ыы” 
Wether wreaking malevolent тісі 


is rapidly items of Кт Меде Misuse or simply 


Н making a hefty dose f nocent 
evolving. mitalas resting n he Macetanoous 
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decressingacousinadertveuts тарен, wnelner by sectone or 
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Konning b ersa мараны Me mispiacoment a paper documents, 
doprclastyear hascontnuedio Whien i bad Tor he organizaten 
mako upost ушла тонош; ane ervironment Lasi wo have 


the second-place spot this year. Thisis Gaffe (a DBIR team favorite), which is 
even more worthy of mention when you when people simply blurt out sensitive 
consider Privilege Misuse wasn'teven data in the hearing of others. 

Inthe top three last year. 
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Figure 62. Top patterns n Healthcare dustry breaches 
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Figure 64. Тор Attribute varieties n — 
Healthcare industry breaches (n=1102) 


Information:. 
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samo? patterns remain. 
Constant since 
last year, and their 
ranked order has 
also not changed, 
The team found this 
somewhat interesting 
‘considering how many 
‘more breaches we 
had in this sector as 
‘compared to last year. 206 auo aus жә 


Summary Figure 65. Top patterns Та Information ndustry breaches 


The overall breach sample size 
increased compared to ast year, but 
this sector experienced substantially 
fewer incidents. Ransomware and 

Use of stolen credentials continue 

to dominate the System Intrusion 
pattern, while there was a slight 
decrease in Phishing attacks alongside 
arise in Pretexting within the Social 
Engineering pattern. There was a тї 
increase in Espionage motives and 
state-sponsored actors targeting the 
industry, emphasizing the need for 
enhanced detective controls. 
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Espionage (3%) be somewhat widespread regardless. 
cached venen Lo and Misconguraon 


round out the top three error varieties, 
and they account for approximately. 
20% and 18% of breaches, respectively. 


Data Personal (58% 

‘compromised Other (40%), 
Credentials (28%), 
Internal (25%) 
(breaches) 


Whatisthe Two of the tap m 
same? patterns from last 
year are still in place, 
Financial motivation 5% 
continues to be the 
driver behind most 
attacks. 


‘Summary о 


Manufacturing has seen an increase- 
in Error-elated breaches. The 
installation of malware after hacking Figure 66. Top pattems over Uma in Manufacturing industry breaches 
Ма the Use of stolen credentials 

is somewhat commonplace. 


It’s your asset 
on the (manu- 
facturing) line. 


Social Engineering remains steady with 
regard to breaches in this vertical due 
to action varieties such as Phishing 
(85%) and Protexting (42%). Apparently, 
‘consumer feedback branded the Basic 
Web Application Attacks pattern as so. 
2022, and it now languishos near the 
bottom of the pattern rankings with the 
likes of Privilege Misuse. In fact, the 
asset of Server-Web app has been on a 
slightly downward trajectory. Figure 67 
lustrales this decline and also shows 
the corresponding rise of Server-Mail 
This makes sense when, as mentioned 
above, one considers that Phishing 
remains prevalent in the Manufacturing 
vertical. Of course, the credentials 
typically obtained via phishing are those 
that afford the criminal a foothold Into. 
the organization via the email account 
of the victim. 
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Figure 68. Top Action таноо —— 
Manufacturing industry breaches 


Professional, Scientific 
and Technical Services: 


Frequency 2599 incidents, —— 


1.314 with confirmed 
data disclosure. 


Тор pattems Social Engineering. 


System Intrusion and 
Miscellaneous Errors 
represent 85% of 
breaches 


‘Threat actor 


External (75%), 
Internal (25%) 
(breaches) 


Actor motives Financial 85, —— 


Espionage (6%) 
(breaches) 


Data Personal (40%, 


compromised Credentials (38%), 
Other (33%), 
Internal (23%) 
(breaches) 


Whatisthe Personal dataand _ 


same? Credentials are stil 
the top types of data. 
Impacted inthis 
industry 


Summary 
Social Engineering is one of the top 
threat facing this industry, accounting 
for 40% of breaches, and 20% of 
breaches are the result of Pretexting 
їп addition, there has been an increase 
in errors, specifically Misdelivery. 
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Lika many industrias, we sae Social ‘simply can't forget the unintentional (or 
Engineering and System швп rarely intentional) insider. Even though 
АЗЕКЕН УСТИН intentona) islor Even tou 
‘seo Sa ianuas of Miscell necu. ‘coming in from within the organization, 
Errore on anen in Figura ба. the majority of them are Misdeliveries 


(1256) while only a handful involve 
Individuals abusing their position (598. 
This helps us remember that thoro aro. 
many more folks who are maladroit 
than malicious. 


Miscolanoous Errore 


Figure 68. Top patterns over time in Professional, Sclentilic and Technical Servic 
Industry breaches 


Public 
Administration:. 


Frequency Бате 7 Owning up to Actions speak 
data disclosure your mistakes louder than 
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Engineering remain. 
top attack patterns 


in this sector. oe Sytem insien 


‘Summary 


Miscellaneous Errors, particularly 
Misdelivery, have surged to the top 
‘spot in this industry, reflecting the 
‘commonality of mistakes leading эм 
to breaches. System Intrusion now 

ranks second, followed by Social =>, 
Engineering. The predominance os = 

of internal actors underscores the же Б а ше 
potential consequences of employee 

carelessness, with Errors accounting Figure 70. Top patterns over ime in Public Administration industry breaches 
for the majority of breaches. 


Malware figured in 27% of Public 
Sector breaches this year. Not unlike 
many other verticals, Ransomware was 
top of the heap with regard to malware 
varieties and accounted for 61% of 
‘malware-related breaches. Backdoors 
appeared in 38% of breaches involving 
‘malware, after which we saw a tight 
pack of several varieties jockeying for 
the third-place spot as illustrated in 
Figure 71. 


Tho Social Engineering attacks we 
saw in Public Administration were 
‘mostly garden-variety Phishing (66% 
‘of breaches) and Pretexting (23%) 
attacks. No less concerning, but not 
really noteworthy in relation to the 
‘ther findings. 


Export data 


Figure 71. Top Malware variotos iy 
Public Administration Industry breaches 
(п-243 


Actors 
behaving badly 


The fact that Internal actors are the top 
threat this year underlines the fact that 
even the most well-meaning employees. 
‘can tigger a data breach simply by being 
careless, For all actors, Error actions 
accounted for 51% of the cases, while 
malicious internal actors only accounted 
for 8%. Figure 72 is an illustration of 
how the road to breaches is paved with 
good intentions. 


It we set aside the error-related 
breaches and the End-users who 
cause them, the most common external 
actors in this vertical were Organized 
crime (largely Ransomware attacks) at 
67% and State-affilated actors (29%) 
(Figure 7З). And while we saw very lito 
change in Espionage threat actors, 

We did see a sight uptick n financially 
motivated attacks. 


Figure 72. Top Actions in Pubic 
Administration industry breaches 
(n-1088) 


Figure 73. Top External actor varieties 
in Public Administration industry 
breaches (n=305) 


Retail: 


Frequency 


Top pattems 


‘Threat actors 


Actor motives: 


Data 
compromised 


Whatis the 


‘Summary 


725 incidents, 
369 with confirmed 
data disclosure 


System intrusion, 
Social Engineering 
and Basie Web 
Application Attacks 
represent 92% of 
breaches 


External (96%), 
Internal (496) 
(oreaches) 


Financial (S996 
Espionage (1%) 
(breaches) 


Credentials (68%), 
Other (3%), 
Payment (25%), 
System (20%) 
(breaches) 


The three attack 
patterns not only 
remained consistent 
but are even in 

the same ranked 
order as last year. 
Threat actors with a 
Financial motivation 
Continue to target 
this sector. 


While this industry is usually the 
place where we see Payment card 
dala stolen, the focus of the threat 
actors has shifted to Credentials. 
Pretexting is also increasing, while 
Phishing has dropped. Denial of 
Service attacks remain a problem 
for Retail organizations, causing 
disruption to their abiity to serve 
their customers and make sales. 


The Retail sector is where we often useful Credentials are to your average 
find “Magecart” threat actors. They are threat actor, but we were stunned to 
particularly skiled at inserting malicious see Payment card data, so useful for 


code into the e-commerce sites of immediate fraud, drop so precipitously 
retail entities to siphon off (usually) (Figure 75). As we have indicated 
Payment card information. We saw before, we get the “what” of the 
Tough the same percentage of these — changesin the data, but we do not 
kinds of attacks this year as we did always get the “һу” ls this a result 
last year (Figure 74). However, the type of increased controls around the 
of data being compromised showed monetization of payment card data, 
surprising change, making itharder for the criminals to use 
the data they have stolen? Or is it just 
With Credentials standing at 38% that credentials are so much easier to 
(very close to last year's 35%) ме steal? Either way, we wil be interested 
didn't expect to see Payment card чо see if this is just a blip on the radar or. 
data drop to 25% (from 37%), Now, an actual trend starting, 


we understand how attractive and 
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Figure 74. Top patterns over lime in Retail industry breaches 
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Figure 75. Top Confidentiality data 


varieties in Retall industry breaches 
[ny 


Insocial-related breaches, Pretexling 
has emerged triumphant over Phishing. 
as the top social action. Itis good to 
зве that the threat actors were required 
to stop up their game to successfully 
Influence their chosen targets. Dare wo. 
hope itis because people are becoming 
batter educated and thus able to resist 
the run-of-the-mill phishing efforts? A 
suspicious user community is a well- 
protected user community. 


With regard to incidents, Denial of 
Service continues to represent a 
serious problem. While these attacks 
rarely result in confirmed data 
breaches, they do come with potentially 
serious disruption of the organization's 
ability to function. We also saw 
Ransomware-related incidents continue 
to decline as they have since 2021. 


5 
Regions 


Regional analysis 


In this section, we once again examine cybercrime from a macro-regional point 
‘of view. We do this in the hope that it will be a quick and easy way for readers to 
learn how cybercrime trends differ and how they remain consistent from one. 
‘geographical region of the world to the next. As always, our visibility into a given 
area is determined by many variables, including regional disclosure laws, our own 
dataset and where our data contributors conduct business. If you feel that your 
‘own patch of ground is not featured adequately in the folowing pages, please 
Contact us about becoming a data contributor and motivate other organizations 
in your area to do the same. Please keep in mind that even if your region is not 
represented here, it doesn't mean we have no visibility into the region but rather 
that we don't have а sufficient number of incidents in that area to provide a 
statistically significant section. 


We define the regions of the опа in accordance with tho United Nations M4917 
‘standards, which combine the super-region and sub-region of a country together 
By so doing, the regions we wil examine are as follows: 


АРАС: Asia and the Pacific, including Southern Asia (034), South-eastern Asia 
(035), Central Asia (143), Eastern Asia (030) and Oceania (009) 


ЕМЕА: Europe, Middle East and Africa, 
including Northern Africa (015), Europe 
(150) and Eastern Europe (157) and 
Western Asia (45) 


NA: Northern America (021), which 
primarily consists of breaches in the 
United States and Canada. 


Many readers may recognize the At- 
a-glance tables that we place at the 
top of each major section. We have 
‘combined them to provide a quick look 
атћом each of the regions compares to 
the others with regard to the frequency 
of incidents, top patterns and so on. 


Region Frequency Top patterns Threatactors Actor motives Data compromised 
APAC 2130 incidents, System Intrusion, Social External (98%), Financial (75%), Credentials (69%), 
523 with confirmed Engineering and Basic internal (2%) / Espionage (25%) Internal (37%), 
data disclosure Web Application Attacks (breaches) (breaches) Secrets (24%), Other 
represent 95% of. (17%) (breaches 
breaches 
EMEA 8302 incidents, Miscellaneous Errors, External (51%), Financial (94%), Personal (64%), 
6.005 with System intrusionand Internal (49%) Espionage (6%) Other (36%), Internal 
confirmed data Social Engineering (breaches) (breaches) (83%), Credentials 
disclosure represent 87% of (20%) (breaches) 
breaches 
NA 16618 incidents, System Intrusion, боса External (66%), Financial (97%), Personal (50%), 
1877 with confirmed Engineering and Basie Internal (8%) Езропаде (4%) Credentials (26%), 
data disclosure Web Application Attacks (breaches) (breaches) internal (19%), Other 
represent 91% of (16%) (breaches) 
breaches 


Table S: Ata glance Tor regions 


97 ontpsunett unorglinsdmethodology/ms2 


Figure 76. Төр patterns over Uma in АРАС breaches. 


Figure 77. Top patterns over time in EMEA breaches 
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Figure 78 Тор patterns overtime in NA breaches 


Around the 
worldin4 
paragraphs 


This year we wore fortunate enough 
то have new contributors fram 

EMEA join us. Due to the nature of 
contributing agencies along with the 
reporting requirements in that region, 
Wwe have seen a substantial rise in 

the Miscellaneous Errors pattern. So 
much so that itis now the top pattern 
for the EMEA region. Any time we 
have а new contributor dataset that 
is larger in nature or has a propensity 
toreport on specific types of actions 
(in this case, errors) we observe the 
resultant skewing of the data that one 
might expect. Perhaps next year we 
wil be better positioned to determine 
If tis jump in Miscellaneous Errors 
wil continue or level out to be more 
Consistent with the other ранет. 


It we set aside tho Error-heavy datasets 
and take a look at the regions through 
this lens, we can see that the System 
Intrusion pattern remains among the 
top for all regions. As always, the 

two main action types that we see 
represented in the System Intrusion 
pattern are hacking Ма the Use of 
Stolen credentials and malware (most 
often) in the form of Ransomware. The 
"sans error” dataset also illustrates 
that the System Intrusion pattern has 
neither risen nor fallen significantly 
from last year but has instead heid a 
relatively straight trajectory? 


Social Engineering, on the other hand, 
has increased somewhat significantly 
from 29% to 45% when viewed across 
the whole dataset (mostly driven by 
Northern America, where it represents 
56% of breaches). Extortion was the 
‘greatest driver of this growth in NA as 
it was present in 46% of its breaches. 
Our other Social Engineering favoritos 
had а more timid showing in Northern. 
America breaches: 13% ог Phishing. 
and 4% for Pretexting. 


EXIT 


With regard to actors, the majority of 
cybercrime continues to be carried 
‘out by financially motivated external 
parties. One notable exception is 
that of АРАС, where instead of more 
than 90% of attacks being financially 
‘motivated, we see that the Espionage 
‘motive is greater than itis elsewhere 
and accounts for 25% of breaches 
{as opposed to between 4% and 

6% in the other regions). As a гези, 


From the 


Cyber Security 
Agency of 
Singapore 
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the data variety of Internal accounts 
ог 37%, while Secrets is at 24% for 
АРАС. These data types typically 

do not appear in the top three spots 
{or the other regions. Meanwhile, 
Credentials make up a whopping 69% 
о! compromised data in АРАС. As we 
mentioned in the 2023 DBIR, while 

we frequently have visibility into what 
data types are stolen, we do not always 
know the details to explain precisely 


Building a trusted and resilient 
cyberspace requires collective effort 
and partnership from both governments 
and the industry. Neither of us can 

do this by ourselves; we share the 
responsibilty of securing cyberspace 
for all users. Forging strong public- 
private partnerships is necessary 

for strengthening cybersecurity on 
multiple fronts. This can include. 

threat inteligence sharing to enhance 
Visibilty, conducting joint operations to 
combat sophisticated cyber threats, or 
jointly investing in the development of 
much needed capables. 


This is why the Cyber Security Agency 
of Singapore (CSA) is committed 
towards developing deep partnerships 
with the industry. CSA has various 
Memoranda о! Understanding with 
important industry partners that helps 
us to tackle cybersecurity issues of 
the day together. These memoranda 
allow us to take on collaborative 
efforts, including the detection of 
global malicious cyber or information 
Campaigns, and joint development of 
moble security measures to ensure 
that Singapore's users are protected 
from common instances of malware. 
For example, CSA partnered with 
Google to lot a new enhanced 
protection feature within Google Play 
Protect to further safeguard Android 
moble users against malware-enabled 
scams. This enhanced protection 
feature vill analyze and automatically 
block the installation of apps from 


why. We do know that regulatory 
requirements differ from one region to 
the next and, consequently, this may 
make some types of data harder to get 
than others. However, itis clear that 
Credentials and Personal data figure 
prominently in cybercrime regardless of. 
Where you are located, 


Internet sideloaded sources—browsers, 
‘messaging apps and По managers 
that declare their intent to use sensitive 
permissions that are frequently used 
Тог financial fraud and scams. 


These collaborations also extend 
towards policy areas. This year, CSA 
updated Singapore's cybersecurity 
legislation. This update was done in 
consultation with industry partners 
and other stakeholders to understand 
‘emerging challenges in cyberspace 
‘and seek their views on how lo ensure 
Singapore's regulatory approach meets 
‘our policy intent, but is practical and 
‘commensurate to the cybersecurity 
risks represented by different essential 
service sectors and types of digital 
Infrastructure or service 


CSA strongy believes that the industry 
has a crucial part to play in our 
collective cybersecurity, and can start 
ву securing their products and services 
by design and default. This is especially 
important for the most vulnerable 
groups in society. This is why CSA 

has developed а “Safe App Standard" 
to help app developers and providers 
enhance the security of their mobile 
apps- We encourage DBIR readers to 
access these guidelines and more at 
CSA's website.» 


CSA looks forward to deepening 
‘our partnership with industry to further 
improve the security of our cyberspace. 


ЕСІТТІ 


Incidents Breaches We now draw your attention to tho 
heatmap tnat в Figure 79. Whi i 
—€— ШӨП ю 6 ш 700 ао 4 0 may no be as captivating took at 
as the Mona Lisa tis more швед, for 
enterprises atleast. This map llustaes. 
Row diferent (or similary attacks are 
based on geography (sort of tke the At- 
arglance section but with much more 
detail The heatmap shows incidents 
and breaches broken down int the 
folowing: top patterns, top action 
typos and top asset varieties: This is 
2 very handy tool to elp you locate 
Potential problem areas in your region: 


Hopefully you wil find this (especially 
when combined with other data found 
in this report, such as industry and 
organization size) informative with 
regard to what your organization might 
be more prone to in terms of attacks. 
and can therefore assist you in creating 
your defense strategy. 
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Figure 76 incidonis and breaches by region 


Wrap-up 


This concludes our regularly 
scheduled programming. 

We hope you have found the 
information in this document 
helpful, actionable and enjoyable. 


‘Once again the DBIR has shown The DBIR team wishes you 
ией! bei aepreparedas Alla safe and prosperous 
possible for ай eventualities is the year, and we look forward 
Safest course. [tis our hope that this to seeing you again in 2025. 


document has gone at least some way 
toward helping you anticipate what 
threats are most еу to affect your 
‘organization and deploy your resources 
appropriately. We would lke to express 
‘our sincere appreciation to our data 
contributors, without whom we could 
по! make this report happen. And of 
course we thank you, our readers, for 
Continuing to take the time to read this 
report, making helpful suggestions 

and greatly assisting us in the 
improvement of this report each year. 


Year in review 


Monthly snapshot as reported by the VTRAC Monthly Intelligence Briefings. If you'd like to 
learn more, feel free to reach out to the VTRAC team at Intel.Briefing@verizon.com. 


January 


The VTRAC's cyber inteligence collections in January reflected most of the recurring information security 
(InfoSec) risk issues we would observe through the rest of 2023. Ransomware continued to plague every 
sector For example, te LockBit threat actors (TAs) attacked the Royal Mall on January 1, disrupting postal 
‘operations for more than six weeks. Atlantic General Hospital in Berlin, Maryland, was among the first 
healthcare organizations struck with ransomware. Vulnerabilities іп FortiOS secure sockets layer (SSL) VPN 
products were exploited by Chinese APT actors attacking government networks and an African managed 
Service provider Russian advanced persistent threat (APT) actors continued о attack Ukraine. COLDRIVER 
{attempted to breach Brookhaven, Argonne and Lawrence Livermore National Laboratories using spear 
phishing and fake login pages. Noteworthy zero-day vulnerabilities that were exploited before patch availability 
теге CVE-2029.21674, a Windows advanced local procedure сай (ALPC) elevation of privilege vulnerability, 
‘and CVE-2023.22952, a remote code execution vulnerability in SugarCR Ms email templates. Month's ond 
brought news of a multinational operation to disrupt the Hive ransomware TA that began in July 2022 and had 
provided decryption keys to more than 1000 victims. 


February 


А preauthentication command injection winarabiltyinForlra's GoAnywhere MFT (managed file transfer 
Solution, labeled CVE-2023-0669, was a zero-day vulnerability that came to light in the fist week of the 
‘month. Within days, we learned of a GoAnywhere MFT-related breach of more than 1 milion patient records 
from the Community Health System. The ClOp ransomware gang exploited GoAnywhere to steal data from 
more than a hundred companies beginning on January 18. The vunerabilly was exploited п data breaches 
{or several months only о be supplanted in June by a пем zero-day vulnerability in another managed fle 
transfer solution, Progress Software's MOVER. Microsoft Patch Tuesday included patches for three zero-day 
vulnerabilities and Apple also patched a zero-day in WebKit. North Korean APT, the Lazarus Group, conducted 
the No Pineapple! campaign to exfitrate more than 100 GB of data тот organizations in medical research, 
healthcare, chemical engineering, energy and defense as well as a leading research university. The city of 
‘Oakland, California, declared а state of emergency following a ransomware infection that disrupted most city 
services. Both the Play and LockBit TA claimed credit. 


March 


Зохів a Voice over Internet Protocol (VoIP private branch exchange (PBX) software development company 
"whose ЗСХ Phone System is used by more than 360,000 customers worldwide and has more than 12 milion 
‘ally users. A digitally signed and rojanzed version of the CX ЧОР desktop cient was used to target the 
‘company’s customers in an ongoing supply chain attack. Attributed tothe Lazarus Group, the ultimate payload 
was a backdoor Trojan. Gopuram. The attackers used Gopuram with surgical precision. Gopuram was installed 
оп fewer than 10 targets, al of which were cryptocurrency companies. The 3CX campaign demonstrated 
‘Significantly more sophisticated capabilities from North Korean APT actors. And near the end of the month, 
‘anew North Korean APT emerged, АРТ4З. Initial reports indicated that АРТАЗ used cybercrime to fund its 
‘eyberespionage campaigns. Winter Vivern the APT aligned with the national security interests о! Russia/ 
Belarus, was using malicious documents to collect credentials and exploit vulnerable Zimbra collaboration 
servers. Winter Vivern targeted government, military and diplomatic entities in nations supporting Ukraine 
March's zero-day vulnerabilities included Outlook, Microsoft Defender SmartScreen and Adobe ColdFusion 

to keep patch management teams busy 


The month began with the exploitation of two zero-day vulnerabilities in Apple products. Google mitigated 
а zero-day in its Chrome browser's VB JavaScript engine and then four days later rolled out a new version 

to mitigate a zero-day vulnerability in the Skia graphics engine. And Microsoft patched the second zero-day 
this year in its Common Log File System driver. Another zero-day vulnerabilty CVE-2022-27026, affected 
Zimbra collaboration servers. The Winter Vivern APT actor had almost certainly discovered and exploited the 
‘vulnerabiity before the patch was announced, CERT Polska warned thatthe Russian APT29 was actively 
pursuing diplomatic targets in many nations, principally North Atlantic Treaty Organization (NATO) members. 
АРТ2В attacked vulnerable Cisco routers worldwide. The TTP of exploiting a 4-year-old vulnerability in 
network infrastructure was at once innovative and sufficiently simple to be adopted and adapted by many TAS. 
The GRU's Sandworm Team continued to focus on support of the Russian invasion of Ukraine. Multiple top-tier 
Cybercrime actors continued to compromise PaperCut and Fortra GoAnywhere MFT systems to install Cp, 
LockBit ала BlackCat/ALPHV ransomware and frequently exfitrated data from victim networks. Microsoft 
noted an increase in the pace and the scope of cyberattacks attributed to Iranian threat actors For example, 
Mint Sandstorm (Charming Kitten) rapidly weaponized N- day vulnerabilities in common enterprise applications. 
and conducted highly targeted phishing campaigns to quickly and successfully access environments of 
Interest. The Mint Sandstorm APT began exploiting CVE-2022-47966 in Zoho ManageEngine on January 19, 
2023, the same day the proof of concept (PoC) became public. 


May A Chinese state-sponsored APT group dubbed Camara Dragon was found infecting TP-Link routers with a 
malicious firmware implant that alowed attackers to gain full control of infected devices and access compromised 
networks while evading detection. The group overlaps with activity previously attributed to Mustang Panda, 
Mustang Panda was also observed conducting phishing campaigns against European entities. Other phishing 
‘emails delivered fake "oficial" Ukrainian government reports that downloaded malware onto compromised 
‘machines. Mustang Panda's most used malicious implant was а Trojan program called Plug, and it continued 
to remain the group's preferred spying tool. A new Chinese aligned APT actor, Volt Typhoon was identified affer 
ithad been found targeting critical infrastructure organizations in Guam and elsewhere in the United States 
‘ince mid-2021 Barracuda identified a zero-day vulnerability (CVE-2023-2868) п its Email Security Gateway 
(ESG) appliance on May 19. A security patch to eliminate the vulnerability was applied to all ESG appliances 
Wworidwide on May 20. Microsoft Patch Tuesday included two zero-day vulnerabilities Apple released security 
‘advisories and patches mitigating more than 30 vulnerabilities, including three zero-day exploits affecting 
‘WebKit. On May 31, Progress Software released patches for a SOL injection vulnerabilty п MOVES managed 
Че transfer software. Labeled СМЕ-2023-34362, we later learned exploitation began on May 27. 


June МОМЕ moved into the mainstream. VTRAC began receiving a large number of victim reports and we were 
sill getting them as this went to press in February 2024. (MOVEIt would continue to wreak havoc throughout 
the year, with multiple cybersecurity experts reporting increasing numbers of organizations and individuals 
affected)2=:83 There were indications the CIOp ransomware TA had been testing МОМЕП exploits in 
2021. Atleast 1,000 organizations became victims, and personally identifiable information (PII) of at least 
100 milion individuals was compromised. The Russian APT Gamaredon Group attacked Ukraine featuring 
а PowerShell-based information stealer distributed on malicious USB thumb drives. Google released anew 
Version of its Chrome browser to mitigate a vulnerability in the VB JavaScript engine that was already being 
‘exploited in tho wild A zero-day vulnerability in Fortinet's FortiOS and FortiProxy SSL-VPN preauthentication 
"Nas being exploited in the wid. After May's alert for CVE-2023-2868, on June 6, Barracuda announced 
any ESG applance that had been compromised must be taken out of service and disposed of patching was 
insuficient. Kaspersky security architecture detected suspicious activity originating from several iOS-based 
phones. it discovered a targeted APT campaign that i labeled Operation Triangulation. Тһе target (05 device 
received a zero-click message via the iMessage service with an attachment containing an exploit. With по 
user interaction, the message triggered a vulnerability that led о code execution. After installation of the 
АРТ payload, the message was deleted. On June 21, Apple patched the Operation Triangulation zero-day 
Vulnerabilities in the 08 kernel and in WebKit 
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July 


The top three ransomware TAs had a very good July. That is, InfoSec practitioners spent July avoiding 
successful attacks by LockBit, CIOp and ALPHV. On Monday, July 4, the port of Nagoya, Japan, was stuck 

y LockBit 3.0. Сір continued to take advantage of more than 130 organizations they had breached in May 
and June before МОМЕН was patched. ALPHV (BlackCat) used search engine optimization (SEO) poisoning 
‘and malvrtisements to lure users into downloading a trojanized WinSCP (Windows Secure Copy Protocol, 
leading to lateral exploitation. data theft and ransomware infection. A Chinese APT labeled Storm-O558 
acquired a Microsoft account (MSA) consumer key rom a Microsoft engineers system using an arcane 

‘series of loopholes. That key enabled the group to access Outlook and Outlook Web Access (OWA) accounts 
affecting about 25 organizations, including government agencies. Five zero-day vulnerabllies were mitigated 
оп Microsoft Patch Tuesday. Zimbra Collaboration биће contained а cross-site scripting zero-day vulnerability 
affecting the confidentiality and integrity of data. Adobe released an update to ColdFusion on Patch Tuesday. 
‘Three days later, Adobe released an out o cycle security bulletin for a deseriakzaton zero-day vulnerability in 
ColdFusion. Two new zero-day vulnerabilities in апі Endpoint Manager Mobile were exploited to breach the 
IT systems of a dozen ministries in Norway. Citrix released an advisory and patches for three vulnerabilities in 
NetScaler (fermery Citrix) application delivery controller (ADC) and NetScaler Gateway. CISA advised that one 
NetScaler vulnerability had been exploited to breach the network of a U.S. critical infrastructure organization in 
une. On August 2, we leamed that 640 NetScaler servers had been backdoored by an unidentified TA and a. 
‘China Chopper web shell installed. 


August 


Multiple sources reported a decine in ransomware attacks in the range of 20%-33%. An ongoing espionage 
campaign targeting dozens of organizations in Taiwan was discovered Researchers attributed the activity 

to anew Chinese APT group labeled Flax Typhoon. Tho threat group minimizes the use of custom malware 
‘and instead uses legitimate tools found in victims’ operating systems to conduct its espionage operations 
(кипа off the land) VTRAC collected inteligence for another new APT, labeled Carderbee. That TA mounted 

а supply chain attack weaponizing updates from a Chinese security company to install а code-signed version 
ог the PlugX backdoor to attack about 100 computers, тову in Hong Kong. The North Korean Lazarus Group 
fielded new remote access trojans (RATS), QuiteRAT and CollectionRAT, and there were indications that the 
Lazarus Group was also shifting to ипо off the land" TTP. The FBI announced a global operation against the 
рог (aka Qakbot) In Operation Duck Hunt, the FBI seized control of the botnet, removed the malware from 
infected devices and identified a substantial number of affected systems. As with many malware takedowns, 
the core cybercriminals were not arrested or confined, and bot would begin a comeback in December. 
Microsoft Patch Tuesday included mitigation of two exploited zero-day vulnerabilities: CVE-2023-38180 
(patched) and CVE-2023-36884 (not patched). 


September 


Caesars Entertainment discovered on September 7 that the ALPHV ransomware TA had performed a social 
engineering attack that targeted an outsourced IT support vendor resulting in a breach of Caesars network 
апа its loyalty program database, which stores drivers license numbers and Social Security numbers for many 
Customers. Caesars chose to pay roughly half of the $30 millon ransom to recover its data. On September 1, 
MGM Resorts International disclosed the ALPHV ransomware ТА had breached MGM's network using social 
engineering, then stole sensitive data and encrypted more than a hundred ESXi hypervisors. MGM informed 
the SEC thatthe cyberattack cost the company $100 milion. Akira ransomware threat actors were targeting 
Cisco VPNs that were not configured for MFA to infiltrate organizations. Cisco released an advisory for 
vulnerability in tho remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco 
Firepower Threat Defense (FTD) that сома allow an unauthenticated, remote attacker to conduct a brute force 
attack in an attempt to identify valid username and password combinations. In August, Cisco became aware 

of attempted exploitation of this vulnerability in the wid. The University of Toronto's Citizen Lab reported that 
10S zero-day vulnerabilities were exploited to install NSO Group's Pegasus commercial spyware. Microsoft 
Patch Tuesday included two zero-day vulnerabilities. The WebP Codec is used in countless applications and 
websites, and it had a zero-day vuinerabiity with attacks reported by Apple and Google. Adobe released an 
‘out-of-cycle advisory and patch to mitigate a zero-day remote code execution vunerabiity in Adobe Acrobat 
‘nd Reader. 
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October 


In an advisory sent to an undisclosed number of customers on October 19, Okta said it had “identified 
adversarial activity that leveraged access to a stolen credential to access Okta's support case management 
‘system An Okta spokesperson said the company notified about 1% of its customer base (170 customers), 
Including Password and Cioudtiare. On October 7, Hamas invaded Israel triggering significant unrest. Within 
an hour, the Fussian-afiiated group Anonymous Sudan claimed responsibility for potentially disabling an 
israelicivlian app designed to alert citizens about missile attacks. Hacktivists aligned with each side of the 
соте! began conducting DoS attacks ав well as hack-and:-leak and defacements For the most part, nation- 
Slate aligned APT actors conducted limited or no offensive cyber conflict activities targeting Hamas or Israel 
‘Organizations with Allassian's Confluence Data Center and Confluence Server reported compromises: 
Atlassian determined that a zero-day access control vulnerability, CVE-2023-22516, was being exploited. 
‘Apple released updates to iOS and IPadOS to address two more zero-day vulnerabilities, Three zero-days 
‘vere among 104 security updates on Microsoft Patch Tuesday. Cisco and multiple inteligence sources have 
been tracking attacks exploiting a chain of two zero-day vulnerabilities in Cisco IOS XE software enabling 
creation of new accounts and implanting remote control malware. 


November 


After a significant drop in observed ransomware attacks in September and October, November saw numbers 
‘rebound more to where we expected them to be. Carbanak, a well-known banking malware, returned from. 
‘relative obscurity controlled by the АМУ APT-grade cybererime actor. Multiple sources inked FINT іс 
Сабалак, СЮр and ALPHV ransomware TAs. HelloKitty ransomware was attacking a zero-day vulnerability 

їп Apache ActiveMQ, the popular open source, muliprotocol message broker. А zero-day vulnerability in 
Syshid IT service management software was being exploited by the Ср ransomware actors. The Russian 
АРТ Sandworm group was responsible for attacks against 22 critical infrastructure organizations in Denmark 
November's Patch Tuesday addressed 77 Microsoft patches, among them, Microsoft released patches for 
three new zero-day vulnerabilities being exploited inthe wid. Two FS Big IP vulnerabilities were being attacked 
Within five days of release of security advisories and patches. Chrome browser and multiple Apple products 
patched zero-day vulnerabilities. The Chinese APT, Mustang Panda, conducted eyberespionage campaigns 
targeting organizations in the Philippines and western Pacific Rim region. 


December 


The Cyber Avangers, a hacktivist TA affliated with the Islamic Revolutionary Guard Corps (IRGC), took 
responsibilty for defacing workstations at Pennsylvania's Municipal Water Authority of Alquippa. Tho TA 
‘reportedly hit multiple water Йу companies in the United States by targeting Unitronics PLC devices. 
Ukraine's largest mobile operator, Kyivstar, was hit by a cyberattack that left its system infrastructure 
extensively damaged and knocked it out of operation for days. The Sointsepek ТА which had been previously 
linked to the notorious Sandworm Group- claimed the attack a day later, stating that it had destroyed 10,000. 
computers, more than 4,000 servers, al cloud storage and backup systems. Google's Chrome browser, 
ОМАР» VioStor network video recorder and Future X Communications wireless LAN routers АЕТОЗЛРЕ and 
‘AE1021 each patched new vulnerabilities that had already been successfully exploited in the wild. Barracuda. 
ESG appliances had а zero-day vulnerability that was being successtuly exploited by a Chinese threat 

actor. Midmonth, Microsoft warned that Ово (Qakbot) was being distributed again in a phishing campaign 
pretending to be an email from an IRS employee. 
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Appendix А: 
Ноу/іогеас 
this report 


Hello, and welcome first-time readers! Before you get started 
оп the 2024 DBIR, it might be а good idea to take a look at 

this appendix first. We have been doing this report for a while 
now, and we appreciate that the verbiage we use can be a bit 


obtuse at times. We use very deliberate naming conventions, 


istent throughout the report. Hopefully this section 
will help make alll of those more fami 


VERIS Framework resources 


The terms “threat actions; “threat actors” and "varieties willbe referenced often. 
These are part of the Vocabulary for Event Recording and Incident Sharing (VERIS), 
a framework designed to allow for a consistent, unequivocal collection of security 
incident details. Here is how they should be interpreted: 


‘Threat actor: Who is behind the event? This could be the external “bad guy” who 
launches a phishing campaign or an employee who leaves sensitive documents in 
heir seat back pocket. 


‘Throat action: What tactics (actions) were used to affect an asset? VERIS uses 
seven primary categories of threat actions: Malware, Hacking, Social, Misuse, 
Physical, Error and Environmental. Examples at a high level are hacking a server, 
installing malware ог influencing human behavior through a social attack. 


Variety: More specific enumerations of higher-level categories —e.g. classifying the 
‘external "bad guy" as an organized criminal group or recording a hacking action as 
SQL injection or brute force. 


Learn more here: 

+ httpss//aithub.com/vz-tisk/dbie/tree/ah-pages/2024 — includes DBIR facts, 
figures and figure data 

+ https://verisframework.org features information on the framework with 
‘examples and enumeration listings 


+ https://github.com/vz-risk/veris—featuros information on tho framework with 


examples and enumeration listings 


Incident vs. breach 


We talk alot about incidents 
and breaches and we use the 
following definitions: 


Incident: A security event that 
compromises the integrity, 
confidentiality ог availablity of an 
Information asset. 


Breach: An incident that results in the 
Confirmed disclosure—not just potential 
‘exposure of data to an unauthorized 
party. A DDoS attack, for instance, is 
most often an incident rather than a 
breach since no data is exfitrated. 

That doesnt make it any less serious. 


Industry labels 


We align with the NAICS standard to 
categorize the victim organizations in 
ош corpus. The standard uses two- to 
cdit codes to classify businesses 
and organizations. Our analysis is 
typically бопе at the two-digit level, апа 
же wil specify NAICS codes along with 
an industry label. For example, a chart 
with a label of Financial (52) is not 
indicative of 52 as a value. 52" is the 
NAICS code for the Financial and 
Insurance sector. The overall label of 
"Financial is used for brevity within the 
figures. Detaled information on the 
codes and the classification system are 
available here: 


https//www.census.gov/ 
naics/258967?yearbck=2012 


Being confident of our data 


‘Starting in 2019 with slanted bar charts, 
the DBIR has tried to make the point 
that the only certain thing about 
information security is that nothing is 
‘certain. Even with all the data we have, 
weil never know anything with absolute 
certainty. However, instead of throwing 
our hands up and complaining that it is 
impossible to measure anything in a 
dala-poor environment or, worse yet, 
Just plain making stuff up, we get to 
work. This year, youll continue to see 
the team representing uncertainty 
throughout the report figures. 


‘The examples shown in Figures 80, 
81,82 and 83 all convey the range of 
realities that could credibly be true. 
Whether it be the slant of the bar chart, 
the threads of the spaghetti chart, the 
dots of the dot piot or the color of the 
pictogram plot, all convey the 
uncertainty of our industry in their own 
‘special way. 


The slanted bar chart will be familar 
to returning readers. The slant 

on the bar chart represents the 
uncertainty of that data point to 
a95% confidence level (which is 
standard for statistical testing). 


In layman's terms, if the slanted areas of 
two (or more) bars overlap, you can't 


Much tke the slanted bar chart, the 
spaghetti chart represents the same 
concept the possible values that exist 
Within the confidence interval. However, 
its slightly more invoWved because we 
have the added element of time. The 
Individual threads represent a sample of 
all possible connections between the 
points that exist within each 
©ьзегуайот confidence interval. As 
you can soe, some of the threads are 
looser than others, indicating a wider 
Confidence interval and a smaller 
sample size 


Figure 81, Example spaghetti chart — 


The dot plot is another returning 


Each dot represents 0.5% of 
‘organizations. Orange: lower half of 
80%. Yellow: upper half of 80%. 
Green: 80%-95%. Blue: Outliers- 
95% of orgs: 148-1594 648. 

80% 1274-438 499. 

Median. 29774 (оа scale). 


The pictogram plot, our relative 
newcomer, attempts to capture 
Uncertainty in à similar way to slanted 
bar charts but в more suited for a 
single proportion. 


We hope they make your journey 
through this complex dataset even 
‘smoother than previous years. 
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Appendix В: 
Methodology 


‘One ofthe things readers value most 
about this report is the level of rigor and 
integrity we employ when collecting, 
analyzing and presenting data. Knowing 
‘our readership cares about such 

things and consumes this information 
with a keen eye helps keep us honest. 
Detailing our methods is an important 
part of that honesty. 


First, we make mistakes. A column 
transposed here, a number not updated 
there. We're likely to discover a few 
things to fix. When we do, wel list 

them on our corrections page: https:// 
verizon.com/business/resources/ 
reports /dbir/2024/corrections. 


‘Second, science comes in two flavors: 
creative exploration and causal 
hypothesis testing. The DBIR is 
‘squarely in the former. While we may 
not be perfect, we believe we provide 
the best obtainable version of the 
truth (to a given level of confidence 
and under the influence of biases 
‘acknowledged below). However, 
proving causality is best left to 
randomized control trials. The best 
же can dois correlation. And while 
correlation is not causation, they are 
often related to some extent and 
often useful 


Non-committal 
disclaimer 


We would ке to reiterate that we make 
no claim that tho findings of this report 
are representative of all data breaches 
in all organizations at ай times. Even 
though we belive the combined 
records from all our contributors 

more closely reflect reality than алу 

of them in isolation, itis stil a sample, 
‘And although we believe many of the 
findings presented in this report to be 
appropriate for generalization (and our 
conviction in this grows as we gather 
more data and compare it to that of 
others), bias exists. 


The DBIR 
process 


Ош overall process remains intact 
and largely unchanged from previous 
years:®* All incidents included in this 
report were reviewed and converted (if 
necessary) into the VERIS framework 
to create a common, anonymous 
aggregate dataset. If you aro unfamiliar 
with the VERIS framework, it is short 
for Vocabulary for Event Recording 
and incident Sharing, tis free to use, 
and inks to VERIS resources appear 
throughout this report. 


The collection method and conversion 
techniques differed between 
contributors. In general, three basic 
methods (expounded below) were 
Used to accomplish this: 


1 Direct recording of paid external 
forensic investigations and related 
intelligence operations conducted by 
Verizon using the VERIS Webapp 


2. Direct recording by partners 
using VERIS. 


3. Converting partners! existing 
schema into VERIS. 


All contributors received instruction to 
‘omit any information that might identify 
‘organizations or individuals involved. 


‘Some source spreadsheets are 
‘converted to our standard spreadsheet 
formatted through automated mapping 
to ensure consistent conversion. 
Reviewed spreadsheets and VERIS 
Webapp JavaScript Object Notation 
(ISON) are ingested by an automated 
Workflow that converts the incidents 
апа breaches within into the VERIS 
JSON format as necessary, adds 
missing enumerations, and then 
validates the record against business 
logic and the VERIS schema. The 
automated workflow subsets the data 
‘and analyzes the results. Based on 

the results of this exploratory analysis, 
the validation logs from the workflow. 
and discussions with the partners 
providing the data, the data is cleaned 
апа reanalyzed. This process runs 
nightly for roughly two months as data. 
is collected and analyzed. 


Incident data 


Our data is non-exclusively multinomial, 
meaning that a single feature, such as 
“Action,” can have multiple values (Le. 
"Social; "Malware" ала "Hacking"). 

This means that percentages do 

not necessarily add up to 100%. 

For example, if there are five botnet 
breaches, the sample size is five. 
However, since each botnet used 
phishing, installed keyloggers and used 
Stolen credentials, there would be five 
Social actions, five Hacking actions and 
five Malware actions, adding up to 300%. 
This is normal, expected and handled 
correctly in our analysis and tooling. 


‘Another important point is that when 
looking at the findings, "unknown is 
‘equivalent to “unmeasured.” Which is 
to say that Га record (or collection of 
records) contains elements that have 
been marked as unknown" (whether it 
is something as basic as the number of 
records involved in the incident or as 
‘complex as what specific capabilities a 
piece of malware contained), it means 
that we cannot make statements about 
that particular element as it stands in the 
record—we cannot measure where we 
have too ite information. Because they 
аге unmeasured, they are not counted in 
‘sample sizes. The enumeration "Other" 
however, is counted because it means 
that the value was known but not part 
о! VERIS (or not one of the other bars. 
if found in a bar chart, Finally, "Not 
Applicable" (normally "n/a*) may be 
‘counted oF not counted depending on 
the claim being analyzed, 


This year we have made liberal uso. 
of confidence intervals to allow us to 
analyze smaller sample sizes. We have 
adopted a few rules to help minimize 
bias in reading such data. Here we 
defino “small sample" as less than 

30 samples. 


1. Sample sizes smaller than five are 
Тод small to analyze, 


2. We won't talk about count ог 
percentage for small samples. 
This goes for figures too and is 
why some figures lack the dot for 
the median frequency, 


3. For small samples, we may talk about 
the value being in Some range or 
values being greater/less than each 
other. These ай follow the confidence 
interval approaches listed above. 


Incident 
eligibility 


For a potential entry to be eligible for 
the incidont/breach corpus, a couple 
о! requirements must be met. The entry 
‘must be a confirmed security incident 
defined as a loss of confidentiality. 
integrity ог availabilty. In addition to 
‘meeting the baseline definition of 
‘security incident, the entry is assessed 


for quality. We create a subset of 
incidents (more on subsets later) that 
pass our quality fiter. The detalis of 
whatis a "quality" incident are: 


The incident must have atleast. 
seven enumerations (e.g, threat 
actor variety, threat action category, 
varity of integrity loss, et al) across 
34 fields OR be а DDoS attack. 
Exceptions аге given to confirmed 
dala breaches with less than seven 
fenumerations. 


The incident must have atleast one 
known VERIS threat action category 
(Hacking, Malware, ete. 


"n addition to having the level of details 
necessary to pass the quality fiter, 

the incident must be within the time 
frame of analysis (November 1, 2022, to 
October 31, 2023, for this report). The 
2023 caseload is the primary analytical 
focus of the report, but the entire 
range of data is referenced throughout, 
notably in trending graphs. We also 
‘exclude incidents and breaches 
affecting individuals that cannot bo. 

tied to an organizational attribute loss. 
If your friend's laptop was hit with 
Trickbot, it would not be included in 

this report. 


Lastly, for something to be eligible for 
inclusion into the DBIR, we have to 
Клон about it, which brings us to several 
potential biases we will discuss below. 


Acknowledgment апа 


analysis of bias 


Many breaches go unreported (though 
‘our sample does contain many of 
those). Many more are as yet unknown 
by the victim (and thereby unknown to 
чы). Therefore, until we (or someone) 


an 
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сап conduct an exhaustive census of 
‘every breach that happens in the entire 
world each year (our study population), 
we must use sampling. Unfortunately, 
this process introduces bias. 
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Figure 85. Individual contributors 
per Actor 
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Figure 86. ndiidual contributors 
per Asset 


Figure 87. individual contributors 
per Attribute 


The first type of bias is random 
blas introduced by sampling. This 

year, our maximum confidence is 
4/-0.5% for incidents and 3/- 0.8% 

{or breaches, which is related to our 
sample size. Any subset with a smaller 
sample size is going to have a wider 
confidence margin. We've expressed 
this confidence in the complementary 
‘cumulative density (slanted) bar charts, 
hypothetical outcome plot (spaghetti 
line charts and quantile dot plots. 


‘The second source of bias is sampling 
bias. We strive for “the best obtainable 
version of the truth by collecting 
breaches from a wide variety of 
contributors Stil, it is clear that we 
‘conduct biased sampling. For instance, 
зоте breaches, such as those publicly 
disclosed, are more likely to enter our 
Corpus, while others, such as classified 
breaches, are less likely 


Tho four figures on the left are an 
attempt to visualize potential sampling 
bias. Each radial axis is a VERIS 
enumeration, and we have stacked 
bar charts representing our data 
contributors. ideally, we want the 
distribution of sources to be roughly 
equal on the stacked bar charts along 
all axes. Axes only represented by 

a single source are more ikely to be 
biased. However, contributions are 
inherently thick tailed, with a few 
Contributors providing alot of data 
land a lot of contributors providing а 
‘ew records within a certain area. Stil, 
же mostly see that most axes have 
multiple large contributors with small 
Contributors adding appreciably to the 
total incidents along that axis, 


You'll notice rather large contributions 
оп many of the axes. While we'd 
‘generally be concerned about this, they 
represent contributions aggregating 
‘several other sources, not actual single 
contributions. It also occurs along most 
‘axes, limiting the bias introduced by 
that grouping of indirect contributors. 


The third source of bias is confirmation 
bias. Because we use our entire dataset 
for exploratory analysis, we cannot test 
specific hypotheses. Until we develop 
‘collection method for data breaches 
beyond a sample of convenience, this is 
probably the best that can be done. 


Аз stated above, we attempt to mitigate 
these biases by collecting data from 
diverse contributors. We follow a 
consistent multiple-review process, and 
"when we hear hooves, we think horses, 
not zebras We also try to review 
findings with subject matter experts in 
the specific areas ahead of release. 


Data subsets 


We already mentioned the subset 
of incidents that passed our quality 
requirements, but as part of our 
analysis, there are other instances 
"where we define subsets of data. These 
subsets consist of legitimate incidents 
that would eclipse smaller trends if oft 
in. These are removed and analyzed 
Separately, though may not be written 
about И по relevant findings were, well, 
found. This year we have two subsets 
of legitimate incidents that are not 
analyzed as part of the overall corpus: 


1. We separately analyzed a subset of. 
web servers that were identified as 
Secondary targets (such as taking 
‘over a website to spread malware). 


2. Wo separately analyzed botnet- 
related incidents. 


Both subsets were separated the last 
Seven years as well. 


Finally, we create some subsets to 
heip further our analysis. In articular, 
а single subset is used for all analysis 
Within the DBIR unless otherwise 
stated. It includes only quality incidents 
аз described above and excludes the 
‘aforementioned two subsets, 


105 A unique finding ie more tty to be something mundane such as а data collection ваше, than an 


Since the 2015 issue, the DBIR includes 
dala that requires analysis that did not 
fit into our usual categories of “incident” 
or breach." Examples of non-incident 
data include malware, patching, 
phishing апа DDoS. The sample sizes 
for non-incident data tend to be much 
larger than the incident data but from 
fewer sources, We make every effort 
to normalize the data (ог example 
weighing records by the number 
contributed from the organization so all 
organizations are represented equally) 
We also attempt to combine multiple 
partners with similar data to conduct 
the analysis wherever possible. Once 
analysis is complete, we try to discuss 
ош findings with the relevant partner or 
partners so as to validate it against their 
knowledge of the data. 


Appendix С: 


U.S. Secret Service 


By Assistant Director Bran Combating 


By Assistant 


Lambert and Assistant 
‘Special Agent in Charge Cybercrime 


Krzysztof Bossowski, United Amid 
States Secret Service Technological 
Change 


The US. Secret Service worked to 
‘combat fraud through traditional 
methods while identifying new threats 
driven by emerging technology in 
2023. Ransomware continued to 
feature prominently in data breaches 
impacting U.S. companies. Meanwhile, 
transnational cybercriminals were 
increasingly successful in finding 
innovative ways to enable their fraud 
schemes. Artificial inteligence (Al) 
captured the world’s attention and 
imagination, and cybercriminals 

"were among the early adopters. The 
Secret Service investigated numerous. 
cybercriminals experimenting with 
these generative new tools to commit 
fraud. In response, the agency also 
partnered withthe same technology 
‘companies these fraudsters relied 
upon for their schemes. This proved a 
valuable strategy to detect scams and 
hold bad actors accountable. 


The Secret Service is built on a 
foundation of protecting tho integrity 
of our nation’s financial system. Тһе 
agency was created in 1865 to address. 
а surge in counterfeiting folowing the 
Civil War. Today, the agency continuos. 
to fight counterfeiting while also 
batting computer fraud and abuse, 
bank fraud, payment card fraud, identity 
theft, financial extortion, wire fraud, 
and more. Additionally, the Secret. 
Service is charged with providing 
Investigative assistance to local aw 
enforcement and the National Center 
for Missing & Exploited Children, 

The continued success of the Secret 
Service's investigative mission depends 
оп partnerships with law enforcement 
agencies and private sector experts. 
The Secret Service operates a 

network of Cyber Fraud Task Forces 
(CFTF) throughout the country, which 
fosters these interactions with our 
partners. Long-term partnerships 

are the best mechanism to prevent 

and mitigate cybercrime. 


The use of ransomware to exploit 
businesses again played a significant 
role in major data breaches. The 
criminal organizations behind these 
attacks heavily leveraged tho crime- 
as-a-service business model, including 
threatening to publish stolen data. 

The Secret Service, alongside its 

law enforcement and private sector 
partners, fought against these 
Criminals. The team approach foiled 
Several ransomware campaigns 

and protected a number of targeted 
‘American companies and organizations, 
Agents also infiltrated these criminal 
organizations and developed tangible 


information for IT administrators. 
This enabled IT teams to implement 
‘countermeasures to protect their 
‘corporate infrastructure, significantly 
reducing data breaches and financial 
losses. Industry reports on ransomware 
show mixed trends in the prevalence 
‘and revenue generated through 
ransomware scams in 2023. Our work 
‘continues as we strive to end the 
profitabilty of such schemes. 


Generative Al remains a hot topic. 
ChatGPT became a technological 

hit in January 2023 with 100 milion 
registered active users. Legitimate 
‘customers used the Al tool to write 
Papers and answer questions. But 
Within weeks, criminals also leveraged 
Al tools in fraud and extortion schemes, 
For example, a Secret Service 
investigation led to the arrest of a group 
of individuals who used Al-powered 
translation tools. These individuals 

did not speak English or have any 
advanced computer skills. Yet, these 
bad actors used the new tools to create 
transnational romance and extortion 
plots to defraud victims of milions of 
dollars. The victims in these cases were 
not aware the translation was taking 
place or even that they were interacting 
"With someone in a foreign country. 


ов pin www secretservice gov/newsroonyeleases/2023/06/ive-chs 


то stay ahead of the criminal element, 
the Secret Service is increasingly 
partnering with technology companies 
to ensure new technology aids in 
preventing rather than enabling - 
crime. This includes measures that 
‘companies can implement to detect 
‘misuse of their tools and explore how 
these technologies can appropriately 
aid investigations. For example, our 
research teams and investigators 
Increasingly face difficulty analyzing 
large digital data sets. However, 

new data analytic techniques can. 
significantly improve our ability to 
detect and address ilicit activity. 
Those now techniques were used 
successful in investigating a large- 
Scale fraud scheme impacting the 
State of California. Within a few weeks 
of work on this case, investigators 


identified patterns in the fraud schemes 


‘that resulted in Secret Service agents 
arresting five criminals withdrawing 
tens of thousands of dollars from 
ATMs using information stolen from 
California-based users of Electronic. 
Benefit Transfer (EBT) cards.** This 


Whether batting ransomware, credit 
сага fraud, ог protecting minors from 
online child predators, the Secret 
Service works to stay on the cutting 
ейде of technology. New technology 
enables criminals and investigators 
alike, and our privato sector and law 
enforcement partnerships are the 

key to detecting and preventing ilicit 
activity. Our network of Cyber Fraud 
Task Forces will continue to foster 
regular interaction with our partners to 
promote the prevention and mitigation 
ог cybercrime with the critical goal of 
protecting America's financial interests. 
Working together, we can identify and 
Implement ways to use technology 
effectively to prevent crime. 


‘case demonstrated how new data tools. 
aid in analysis and have the potential to 
‘Quickly detect and address ilicit activity 
in both the public and private sectors. 


pendix О: 


sing the VERIS 


ommunity 


atabase (VCDB) 
to Estimate Risk 


The VCDB was a leap forward in 


By HALOCK Security Labs incident sharing. For CIS and HALOCK 
and the Center for Internet "оспа solid foundation for risk 
‘Security (CIS) analysis. One of the biggest challenges 


in conducting risk assessments іс 
estimating the likelihood that an 
incident will occur. The VCDB contains 
alot of structured incident data, so we 
неге sure we could use it to somehow 
һер us solve that challenge. 


When we started exploring the УСОВ. 
together, it heid about 7,500 incident 
records each with about 2,500 data 
points- telling us how each incident 
‘occurred. But that's almost 19 milion 
data points! How could we shape 
that data to help the CIS community 
estimate risks? 


We experimented and discovered many 
useful aggregations that brought shape 
and meaning to the mass of recorded 
incidents. By focusing on the attack 
varieties in the recordset, we could 

see how commonly (or uncommonly) 
‘certain attacks were used, Shifting 

‘our attention to attack vectors or 
vulnerabilities helped us understand 


how certain weaknesses have 
Contributed to incidents. Aggregating 
dala based on industries (ight down, 
to the NAICS codes) showed how 
attack methods are correlated to the 
distribution of assets that are common 
in types of organizations. 


We realized that the data could be 
shaped to answer more complex 
questions, ike what industries are 
more or less susceptible to which 
kinds of attacks, or what attack 
methods are most or least commonly 
associated with which asset classes. 
I you were patient and skilled you 
could also find out what kinds of 
attacks trended higher or lower 
year-over-year, or which assets 

апа methods are most frequently 
correlated with each other in attacks. 


your heart rate went up while 
reading that previous paragraph, 
then you're our kind of people. But 
аз much fun as we were having, 

ме had to focus on our purpose. 
find the simplest way to model sk 
probability forthe widest population 


We settled on a simple correlation. 
‘between the VCDB data and the 

CIS Controls when we noticed how 
commonly certain asset classes 

жеге exploited in attacks. Because 

the CIS Controls safeguards are 
associated with asset classes and the 
УСОВ shows the assets involved in 
‘each incident, we could tie the VCDB 
incidents to the CIS safeguards that. 
would help prevent types of attacks. 
"We were then able to bake that into 

our risk assessment method, CIS 
ВАМ to help enterprises estimate tho. 
likelihood portion of their risk analysis. 
The more commonly an asset appeared 
in incident records, the more (коју 

it would be the cause of an eventual 
Incident, unless its corresponding. 
safeguards were strong. This insight 
became our “Expectancy” score to 
automatically estimate risk likelihood. 


Those two diagrams ilustrate that 
Expectancy correlation. Figure 88 
depicts a correlation between the 
‘commonality of an asset in the УСОВ 
and the maturity of a CIS Controls 
‘safeguard that would protect that 
asset. A low asset соттопаћу 
‘matched with a high maturity contral 
would make the expectancy score low 
{in this illustration, 2 out of 57. 


— Eu 


Figure BB. Low asset commonality and 
high control maturity 


107 pripa ear eiseeurityorg/cis-ram 


Conversely, Figure 89 shows how a 
high Expectancy score would result 
from a high asset commonality and a 
low control maturity. 


— п ü 
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Figure 88. High asset commonality and 
low control maturity 


if we stated this correlation in plain 
language, we would say that the more 
commonly an asset is compromised, 
the more capable our controls for that 
asset should be. 


But no risk analysis is completo without 
also considering the impact of an 
incident. CIS RAM uses additional 
methods to help enterprises estimate 
Impact scores, so when paired with 
the Expectancy scores, they have 
evidence-based risk analysis. And in 
the spirit of the VCDB community, CIS 
RAM could freely provide that analysis 
to anyone who needs it. 


Risk analysts might wonder about our 
іе of the word “expectancy” rather 
than "tkelihood" or “probability” This 
жав a careful choice driven by what the 
УСОВ can tell us. 


The word "probability" Is best suited 
for statistical analysis that results in a 
calculated percentage range or value 
within a time period (e.g. "between 
a12% and 22% chance; or "12% 
probability in а year’). "Likelhood" is 
typically used more colloquially or for 
less rigorous estimation processes 
Cvery likely” "not likely”, et.) but stil 
implies а time period or frequency. 


The Expectancy score, however, does 
not consider a time frame. It says that 
ме accept that an incident of some 
kind will occur, апа that the higher the 
Expectancy score, the more wo expect 
that asset and control to be involved. 
The lower tho Expectancy score, the 
less we expect the asset and control to. 
be involved, 


This helps each enterprise prioritize the 
Improvement of safeguards that could 
reduce risk the most. 


Our correlation в nat the only way 
that organizations can use the УСОВ. 
to estimate the likelihood of attacks. 
Even CIS and HALOCK use our own 
aggregations of the data given our 
different purposes. Consider how you 
would manage your cyber security 
program if you knew what attack 
methods were most common in your 
industry, or what attack methods 
correspond to what assets, or what 
was trending higher over timo. 


Тако time to explore the УСОВ for your 
risk analysis uses. You'l be Impressed 
with what you find. 


The VERIS Community Database 
https//veristramework-org/vedb.html 


Appendix E: 
Contributing 
organizations 


А 
Akamai Technologies 
аша 

Арша Cyber Intelligence 


в 
Balbix 
ыы 
Bitsight 
BlackBerry 


c 
Censys, Inc. 

Center for Internet Security (CIS) 
Cequence Security 


CERT Division of Carnegie Mellon. 
University’s Software Engineering 
Institute 


CERT - European Union (CERT-EU) 
CERT Polska 


Check Point Software Technologies 
ша. 


Chubb 
City of London Police 
Coalition 


Coveware 
Cowbell Cyber inc. 

стомазике 

Cyber Security Agency of Singapore 


Cybersecurity and Infrastructure 
Security Agency (CISA) 


CyberSecurity Malaysia, an agency 
under the Ministry of Communications 
and Multimedia (KKMM) 


Cybersigit 
сува 
Cyenti institute 


D 


Defense Counterinteligence and 
Security Agency (DCSA) 


DomainTools 


Е 
Edgescan 
Emergence insurance 
EUROCONTROL 
EVIDEN 


Е 


Federal Bureau of Investigation — 
Internet Crime Complaint Genter 
(FBIICS) 


в 
Global Resilience Federation 
GroyNoise 


Halcyon 
HALOCK Security Labs 

i 

Information Commissioners Office. 
(со) 


Irish Reporting and Information Security 
Service (IRISS-CERT) 


anti 
3 

JPCERT/CC 

[3 

K-12 Security Information Exchange 
[22573 

Kaspersky 

KnowBe4 

KordaMentha 


T 


Legal Services Information Sharing and 
Analysis Organization (LS-ISAO) 


Maritime Transportation System ISAC 
(MTS-ISAC) 


Mimecast 


N 
National Crime Agency. 


National Cyber-Forensics & Training 
Aliance (NCFTA) 


National Fraud Intelligence Bureau 
NetDiligence* 
NETSCOUT 


o 
ока 
Ороптахі Cybersecurity 


Р 
Palo Alto Networks 


T 
US. Secret Service 


а 


Qualys 


R 
Recorded Future, Inc. 
Resilience 
RevorsingLabs. 


5 
S2tsec by Thales 
Securin, Inc. 


SecurityTralls, a Recorded Futuro. 
Company 


Shadowserver Foundation 
Shodan 

Sistemas Aplicativos 
Sophos 

Swisscom 


v 
VERIS Community Database. 
Verizon Cyber Risk Programs 
Verizon Cyber Security Consulting 
Verizon DDoS Defense 


Verizon Notwork Operations апа 
Engineering 


Verizon Threat Research Advisory 
Center (VTRAC) 


Vestige Digital Investigations 


w 
WatchGuard Technologies, Inc. 


z 
Zscaler 
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